From 6562a3b095dac728996ac0744c811bf9cb96b925 Mon Sep 17 00:00:00 2001 From: Frank Mertens Date: Tue, 30 Jul 2024 02:52:28 +0200 Subject: [PATCH 01/11] Update wolfSSL submodule to v5.7.2 --- CMakeLists.txt | 176 +++++++-- port/user_settings.h | 886 ++++++++++++++++++++++++++++++++++++++----- wolfssl | 2 +- 3 files changed, 943 insertions(+), 121 deletions(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index a359adc..73e1345 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -1,37 +1,149 @@ -set(COMPONENT_SRCDIRS "wolfssl/src/" - "wolfssl/wolfcrypt/src" - "wolfssl/wolfcrypt/src/port/Espressif/" - "wolfssl/wolfcrypt/src/port/atmel/" - ) +idf_component_register( + COMPONENT_NAME + "esp-wolfssl" -set(COMPONENT_REQUIRES lwip) + SRCS + # "wolfssl/src/bio.c" + # "wolfssl/src/conf.c" + "wolfssl/src/crl.c" + "wolfssl/src/dtls13.c" + "wolfssl/src/dtls.c" + "wolfssl/src/internal.c" + "wolfssl/src/keys.c" + "wolfssl/src/ocsp.c" + # "wolfssl/src/pk.c" + "wolfssl/src/quic.c" + "wolfssl/src/sniffer.c" + # "wolfssl/src/ssl_asn1.c" + # "wolfssl/src/ssl_bn.c" + "wolfssl/src/ssl.c" + # "wolfssl/src/ssl_certman.c" + # "wolfssl/src/ssl_crypto.c" + # "wolfssl/src/ssl_load.c" + # "wolfssl/src/ssl_misc.c" + # "wolfssl/src/ssl_p7p12.c" + # "wolfssl/src/ssl_sess.c" + "wolfssl/src/tls13.c" + "wolfssl/src/tls.c" + "wolfssl/src/wolfio.c" + # "wolfssl/src/x509.c" + # "wolfssl/src/x509_str.c" -set(COMPONENT_ADD_INCLUDEDIRS - "port" - "wolfssl" - ) + "wolfssl/wolfcrypt/src/aes.c" + "wolfssl/wolfcrypt/src/arc4.c" + "wolfssl/wolfcrypt/src/asm.c" + "wolfssl/wolfcrypt/src/asn.c" + "wolfssl/wolfcrypt/src/blake2b.c" + "wolfssl/wolfcrypt/src/blake2s.c" + "wolfssl/wolfcrypt/src/camellia.c" + "wolfssl/wolfcrypt/src/chacha20_poly1305.c" + "wolfssl/wolfcrypt/src/chacha.c" + "wolfssl/wolfcrypt/src/cmac.c" + "wolfssl/wolfcrypt/src/coding.c" + "wolfssl/wolfcrypt/src/compress.c" + "wolfssl/wolfcrypt/src/cpuid.c" + "wolfssl/wolfcrypt/src/cryptocb.c" + "wolfssl/wolfcrypt/src/curve25519.c" + "wolfssl/wolfcrypt/src/curve448.c" + "wolfssl/wolfcrypt/src/des3.c" + "wolfssl/wolfcrypt/src/dh.c" + "wolfssl/wolfcrypt/src/dilithium.c" + "wolfssl/wolfcrypt/src/dsa.c" + "wolfssl/wolfcrypt/src/ecc.c" + "wolfssl/wolfcrypt/src/ecc_fp.c" + "wolfssl/wolfcrypt/src/eccsi.c" + "wolfssl/wolfcrypt/src/ed25519.c" + "wolfssl/wolfcrypt/src/ed448.c" + "wolfssl/wolfcrypt/src/error.c" + # "wolfssl/wolfcrypt/src/evp.c" + "wolfssl/wolfcrypt/src/ext_kyber.c" + "wolfssl/wolfcrypt/src/ext_lms.c" + "wolfssl/wolfcrypt/src/ext_xmss.c" + "wolfssl/wolfcrypt/src/falcon.c" + "wolfssl/wolfcrypt/src/fe_448.c" + "wolfssl/wolfcrypt/src/fe_low_mem.c" + "wolfssl/wolfcrypt/src/fe_operations.c" + "wolfssl/wolfcrypt/src/ge_448.c" + "wolfssl/wolfcrypt/src/ge_low_mem.c" + "wolfssl/wolfcrypt/src/ge_operations.c" + "wolfssl/wolfcrypt/src/hash.c" + "wolfssl/wolfcrypt/src/hmac.c" + "wolfssl/wolfcrypt/src/hpke.c" + "wolfssl/wolfcrypt/src/integer.c" + "wolfssl/wolfcrypt/src/kdf.c" + "wolfssl/wolfcrypt/src/logging.c" + "wolfssl/wolfcrypt/src/md2.c" + "wolfssl/wolfcrypt/src/md4.c" + "wolfssl/wolfcrypt/src/md5.c" + "wolfssl/wolfcrypt/src/memory.c" + # "wolfssl/wolfcrypt/src/misc.c" + "wolfssl/wolfcrypt/src/pkcs12.c" + "wolfssl/wolfcrypt/src/pkcs7.c" + "wolfssl/wolfcrypt/src/poly1305.c" + "wolfssl/wolfcrypt/src/pwdbased.c" + "wolfssl/wolfcrypt/src/random.c" + "wolfssl/wolfcrypt/src/rc2.c" + "wolfssl/wolfcrypt/src/ripemd.c" + "wolfssl/wolfcrypt/src/rsa.c" + "wolfssl/wolfcrypt/src/sakke.c" + "wolfssl/wolfcrypt/src/sha256.c" + "wolfssl/wolfcrypt/src/sha3.c" + "wolfssl/wolfcrypt/src/sha512.c" + "wolfssl/wolfcrypt/src/sha.c" + "wolfssl/wolfcrypt/src/signature.c" + "wolfssl/wolfcrypt/src/siphash.c" + "wolfssl/wolfcrypt/src/sm2.c" + "wolfssl/wolfcrypt/src/sm3.c" + "wolfssl/wolfcrypt/src/sm4.c" + "wolfssl/wolfcrypt/src/sp_arm32.c" + "wolfssl/wolfcrypt/src/sp_arm64.c" + "wolfssl/wolfcrypt/src/sp_armthumb.c" + "wolfssl/wolfcrypt/src/sp_c32.c" + "wolfssl/wolfcrypt/src/sp_c64.c" + "wolfssl/wolfcrypt/src/sp_cortexm.c" + "wolfssl/wolfcrypt/src/sp_dsp32.c" + "wolfssl/wolfcrypt/src/sphincs.c" + "wolfssl/wolfcrypt/src/sp_int.c" + # "wolfssl/wolfcrypt/src/sp_sm2_arm32.c" + # "wolfssl/wolfcrypt/src/sp_sm2_arm64.c" + # "wolfssl/wolfcrypt/src/sp_sm2_armthumb.c" + # "wolfssl/wolfcrypt/src/sp_sm2_c32.c" + # "wolfssl/wolfcrypt/src/sp_sm2_c64.c" + # "wolfssl/wolfcrypt/src/sp_sm2_cortexm.c" + # "wolfssl/wolfcrypt/src/sp_sm2_x86_64.c" + "wolfssl/wolfcrypt/src/sp_x86_64.c" + "wolfssl/wolfcrypt/src/srp.c" + "wolfssl/wolfcrypt/src/tfm.c" + "wolfssl/wolfcrypt/src/wc_dsp.c" + "wolfssl/wolfcrypt/src/wc_encrypt.c" + "wolfssl/wolfcrypt/src/wc_kyber.c" + "wolfssl/wolfcrypt/src/wc_kyber_poly.c" + "wolfssl/wolfcrypt/src/wc_lms.c" + "wolfssl/wolfcrypt/src/wc_lms_impl.c" + "wolfssl/wolfcrypt/src/wc_pkcs11.c" + "wolfssl/wolfcrypt/src/wc_port.c" + "wolfssl/wolfcrypt/src/wc_xmss.c" + "wolfssl/wolfcrypt/src/wc_xmss_impl.c" + "wolfssl/wolfcrypt/src/wolfevent.c" + "wolfssl/wolfcrypt/src/wolfmath.c" -set(COMPONENT_SRCEXCLUDE_1 - "wolfssl/wolfcrypt/src/aes_asm.S" - "wolfssl/wolfcrypt/src/evp.c" - "wolfssl/wolfcrypt/src/misc.c" - "wolfssl/src/bio.c" - "wolfssl/wolfcrypt/src/sp_x86_64_asm.S" - "wolfssl/wolfcrypt/src/sha512_asm.S" - "wolfssl/wolfcrypt/src/sha256_asm.S" - "wolfssl/wolfcrypt/src/chacha_asm.S" - "wolfssl/wolfcrypt/src/aes_gcm_asm.S" - "wolfssl/wolfcrypt/src/poly1305_asm.S" - "wolfssl/wolfcrypt/src/fe_x25519_asm.S" - ) + "wolfssl/wolfcrypt/src/port/Espressif/esp32_aes.c" + "wolfssl/wolfcrypt/src/port/Espressif/esp32_mp.c" + "wolfssl/wolfcrypt/src/port/Espressif/esp32_sha.c" + "wolfssl/wolfcrypt/src/port/Espressif/esp32_util.c" + "wolfssl/wolfcrypt/src/port/Espressif/esp_sdk_mem_lib.c" + "wolfssl/wolfcrypt/src/port/Espressif/esp_sdk_time_lib.c" + "wolfssl/wolfcrypt/src/port/Espressif/esp_sdk_wifi_lib.c" + + INCLUDE_DIRS + "${CMAKE_CURRENT_LIST_DIR}/port" + "${CMAKE_CURRENT_SOURCE_DIR}" + "${CMAKE_CURRENT_SOURCE_DIR}/wolfssl" + "$ENV{IDF_PATH}/components/freertos/FreeRTOS-Kernel/include/freertos" + + PRIV_REQUIRES + "lwip" + "esp_driver_gptimer" +) -idf_component_register(SRC_DIRS "${COMPONENT_SRCDIRS}" - INCLUDE_DIRS "${COMPONENT_ADD_INCLUDEDIRS}" - REQUIRES "${COMPONENT_REQUIRES}" - EXCLUDE_SRCS "${COMPONENT_SRCEXCLUDE_1}" - ) -target_compile_options(${COMPONENT_LIB} PRIVATE -Wno-cpp -Wno-maybe-uninitialized) -set_source_files_properties(wolfssl/src/ssl.c PROPERTIES COMPILE_FLAGS "-Wno-format-truncation -Wno-char-subscripts") -set_source_files_properties(wolfssl/wolfcrypt/src/random.c PROPERTIES COMPILE_FLAGS "-Wno-implicit-function-declaration") -set_source_files_properties(wolfssl/wolfcrypt/src/port/Espressif/esp32_aes.c PROPERTIES COMPILE_FLAGS "-Wno-incompatible-pointer-types") target_compile_definitions(${COMPONENT_LIB} PUBLIC WOLFSSL_USER_SETTINGS) diff --git a/port/user_settings.h b/port/user_settings.h index 5653a61..0aa624c 100755 --- a/port/user_settings.h +++ b/port/user_settings.h @@ -1,23 +1,288 @@ /* user_settings.h * - * Copyright (C) 2006-2019 wolfSSL Inc. All rights reserved. + * Copyright (C) 2006-2024 wolfSSL Inc. * * This file is part of wolfSSL. * - * Contact licensing@wolfssl.com with any questions or comments. + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. * - * https://www.wolfssl.com + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA */ +/* The Espressif project config file. See also sdkconfig.defaults */ #include "sdkconfig.h" -#undef WOLFSSL_ESPIDF +/* This user_settings.h is for Espressif ESP-IDF + * + * Standardized wolfSSL Espressif ESP32 + ESP8266 user_settings.h V5.7.0-1 + * + * Do not include any wolfssl headers here. + * + * When editing this file: + * ensure all examples match. The template example is the reference. + */ + +/* Naming convention: (see also esp32-crypt.h for the reference source). + * + * CONFIG_ + * This prefix indicates the setting came from the sdkconfig / Kconfig. + * + * May or may not be related to wolfSSL. + * + * The name after this prefix must exactly match that in the Kconfig file. + * + * WOLFSSL_ + * Typical of many, but not all wolfSSL macro names. + * + * Applies to all wolfSSL products such as wolfSSH, wolfMQTT, etc. + * + * May or may not have a corresponding sdkconfig / Kconfig control. + * + * ESP_WOLFSSL_ + * These are NOT valid wolfSSL macro names. These are names only used in + * the ESP-IDF Kconfig files. When parsed, they will have a "CONFIG_" + * suffix added. See next section. + * + * CONFIG_ESP_WOLFSSL_ + * This is a wolfSSL-specific macro that has been defined in the ESP-IDF + * via the sdkconfig / menuconfig. Any text after this prefix should + * exactly match an existing wolfSSL macro name. + * + * Applies to all wolfSSL products such as wolfSSH, wolfMQTT, etc. + * + * These macros may also be specific to only the project or environment, + * and possibly not used anywhere else in the wolfSSL libraries. + */ + +/* The Espressif sdkconfig will have chipset info. +** +** Some possible values: +** +** CONFIG_IDF_TARGET_ESP32 +** CONFIG_IDF_TARGET_ESP32S2 +** CONFIG_IDF_TARGET_ESP32S3 +** CONFIG_IDF_TARGET_ESP32C3 +** CONFIG_IDF_TARGET_ESP32C6 +*/ + +#undef WOLFSSL_ESPIDF #define WOLFSSL_ESPIDF -#define WOLFSSL_ESPWROOM32 -#define BENCH_EMBEDDED +/* We don't use WiFi, so don't compile in the esp-sdk-lib WiFi helpers: */ +/* #define USE_WOLFSSL_ESP_SDK_WIFI */ + +#if defined(CONFIG_TLS_STACK_WOLFSSL) && (CONFIG_TLS_STACK_WOLFSSL) + /* When using ESP-TLS, some old algoritms such as SHA1 are no longer + * enabled in wolfSSL, except for the OpenSSL compatibility. So enable + * that here: */ + #define OPENSSL_EXTRA +#endif + +/* Pick a cert buffer size: */ +/* #define USE_CERT_BUFFERS_2048 */ +/* #define USE_CERT_BUFFERS_1024 */ #define USE_CERT_BUFFERS_2048 +/* The Espressif sdkconfig will have chipset info. +** +** Some possible values: +** +** CONFIG_IDF_TARGET_ESP32 +** CONFIG_IDF_TARGET_ESP32S2 +** CONFIG_IDF_TARGET_ESP32S3 +** CONFIG_IDF_TARGET_ESP32C3 +** CONFIG_IDF_TARGET_ESP32C6 +*/ + +#undef WOLFSSL_ESPIDF +#define WOLFSSL_ESPIDF + +/* Not yet using WiFi lib, so don't compile in the esp-sdk-lib WiFi helpers: */ +/* #define USE_WOLFSSL_ESP_SDK_WIFI */ + +/* + * ONE of these Espressif chip families will be detected from sdkconfig: + * + * WOLFSSL_ESP32 + * WOLFSSL_ESPWROOM32SE + * WOLFSSL_ESP8266 + * + * following ifdef detection only for syntax highlighting: + */ +#ifdef WOLFSSL_ESPWROOM32SE + #undef WOLFSSL_ESPWROOM32SE +#endif +#ifdef WOLFSSL_ESP8266 + #undef WOLFSSL_ESP8266 +#endif +#ifdef WOLFSSL_ESP32 + #undef WOLFSSL_ESP32 +#endif +/* See below for chipset detection from sdkconfig.h */ + +/* Small session cache saves a lot of RAM for ClientCache and SessionCache. + * Memory requirement is about 5KB, otherwise 20K is needed when not specified. + * If extra small footprint is needed, try MICRO_SESSION_CACHE (< 1K) + * When really desperate or no TLS used, try NO_SESSION_CACHE. */ +#define NO_SESSION_CACHE + +/* Small Stack uses more heap. */ +#define WOLFSSL_SMALL_STACK + +/* Full debugging turned off, but show malloc failure detail */ +/* #define DEBUG_WOLFSSL */ +#define DEBUG_WOLFSSL_MALLOC + +/* See test.c that sets cert buffers; we'll set them here: */ +#define USE_CERT_BUFFERS_256 +#define USE_CERT_BUFFERS_2048 + +/* RSA_LOW_MEM: Half as much memory but twice as slow. */ +#define RSA_LOW_MEM + +/* Uncommon settings for testing only */ +#define TEST_ESPIDF_ALL_WOLFSSL +#ifdef TEST_ESPIDF_ALL_WOLFSSL + #define WOLFSSL_MD2 + #define HAVE_BLAKE2 + #define HAVE_BLAKE2B + #define HAVE_BLAKE2S + + #define WC_RC2 + #define WOLFSSL_ALLOW_RC4 + + #define HAVE_POLY1305 + + #define WOLFSSL_AES_128 + #define WOLFSSL_AES_OFB + #define WOLFSSL_AES_CFB + #define WOLFSSL_AES_XTS + + /* #define WC_SRTP_KDF */ + /* TODO Causes failure with Espressif AES HW Enabled */ + /* #define HAVE_AES_ECB */ + /* #define HAVE_AESCCM */ + /* TODO sanity check when missing HAVE_AES_ECB */ + #define WOLFSSL_WOLFSSH + + #define HAVE_AESGCM + #define WOLFSSL_AES_COUNTER + + #define HAVE_FFDHE + #define HAVE_FFDHE_2048 + #if defined(CONFIG_IDF_TARGET_ESP8266) + /* TODO Full size SRP is disabled on the ESP8266 at this time. + * Low memory issue? */ + #define WOLFCRYPT_HAVE_SRP + /* MIN_FFDHE_FP_MAX_BITS = (MIN_FFDHE_BITS * 2); see settings.h */ + #define FP_MAX_BITS MIN_FFDHE_FP_MAX_BITS + #elif defined(CONFIG_IDF_TARGET_ESP32) || \ + defined(CONFIG_IDF_TARGET_ESP32S2) || \ + defined(CONFIG_IDF_TARGET_ESP32S3) + #elif defined(CONFIG_IDF_TARGET_ESP32C3) || \ + defined(CONFIG_IDF_TARGET_ESP32H2) + /* SRP Known to be working on this target::*/ + #define WOLFCRYPT_HAVE_SRP + #define FP_MAX_BITS (8192 * 2) + #else + /* For everything else, give a try and see if SRP working: */ + #define WOLFCRYPT_HAVE_SRP + #define FP_MAX_BITS (8192 * 2) + #endif + + #define HAVE_DH + + /* TODO: there may be a problem with HAVE_CAMELLIA with HW AES disabled. + * Do not define NO_WOLFSSL_ESP32_CRYPT_AES when enabled: */ + /* #define HAVE_CAMELLIA */ + + /* DSA requires old SHA */ + #define HAVE_DSA + + /* Needs SHA512 ? */ + #define HAVE_HPKE + + /* Not for Espressif? */ + #if defined(CONFIG_IDF_TARGET_ESP32C2) || \ + defined(CONFIG_IDF_TARGET_ESP8684) || \ + defined(CONFIG_IDF_TARGET_ESP32H2) || \ + defined(CONFIG_IDF_TARGET_ESP8266) + + #if defined(CONFIG_IDF_TARGET_ESP8266) + #undef HAVE_ECC + #undef HAVE_ECC_CDH + #undef HAVE_CURVE25519 + + /* TODO does CHACHA also need alignment? Failing on ESP8266 + * See SHA256 __attribute__((aligned(4))); and WC_SHA256_ALIGN */ + #ifdef HAVE_CHACHA + #error "HAVE_CHACHA not supported on ESP8266" + #endif + #ifdef HAVE_XCHACHA + #error "HAVE_XCHACHA not supported on ESP8266" + #endif + #else + #define HAVE_XCHACHA + #define HAVE_CHACHA + /* TODO Not enabled at this time, needs further testing: + * #define WC_SRTP_KDF + * #define HAVE_COMP_KEY + * #define WOLFSSL_HAVE_XMSS + */ + #endif + /* TODO AES-EAX not working on this platform */ + + /* Optionally disable DH + * #undef HAVE_DH + * #undef HAVE_FFDHE + */ + + /* ECC_SHAMIR out of memory on ESP32-C2 during ECC */ + #ifndef HAVE_ECC + #define ECC_SHAMIR + #endif + #else + #define WOLFSSL_AES_EAX + + #define ECC_SHAMIR + #endif + + /* Only for WOLFSSL_IMX6_CAAM / WOLFSSL_QNX_CAAM ? */ + /* #define WOLFSSL_CAAM */ + /* #define WOLFSSL_CAAM_BLOB */ + + #define WOLFSSL_AES_SIV + #define WOLFSSL_CMAC + + #define WOLFSSL_CERT_PIV + + /* HAVE_SCRYPT may turn on HAVE_PBKDF2 see settings.h */ + /* #define HAVE_SCRYPT */ + #define SCRYPT_TEST_ALL + #define HAVE_X963_KDF +#endif + +/* optionally turn off SHA512/224 SHA512/256 */ +/* #define WOLFSSL_NOSHA512_224 */ +/* #define WOLFSSL_NOSHA512_256 */ + +/* when you want to use SINGLE THREAD. Note Default ESP-IDF is FreeRTOS */ +/* #define SINGLE_THREADED */ + +/* When you don't want to use the old SHA */ +/* #define NO_SHA */ +/* #define NO_OLD_TLS */ + /* TLS 1.3 */ // #define WOLFSSL_TLS13 #define HAVE_TLS_EXTENSIONS @@ -26,82 +291,58 @@ #define HAVE_AEAD #define HAVE_SUPPORTED_CURVES -/* when you want to use SINGLE THREAD */ -/* #define SINGLE_THREADED */ #define NO_FILESYSTEM -#define HAVE_AESGCM -/* when you want to use SHA384 */ -#define WOLFSSL_SHA384 -#define WOLFSSL_SHA512 -#define HAVE_ECC -#define HAVE_CURVE25519 -#define CURVE25519_SMALL -#define HAVE_ED25519 - -/* ALPN in wolfSSL is enabled by default, can be disabled with menuconfig */ -#define HAVE_ALPN - -#define HAVE_SNI - -#ifdef CONFIG_WOLFSSL_HAVE_OCSP -#define HAVE_OCSP -#define HAVE_CERTIFICATE_STATUS_REQUEST -#endif - -/* do not use wolfssl defined app_main function used to test esp-wolfssl */ -#define NO_MAIN_DRIVER - -/* you can disable folowing cipher suites by uncommenting following lines */ -// #define NO_DSA -// #define NO_DH - -/* These Flags are defined to make wolfssl not use some insecure cipher suites */ -#define NO_MD4 -#define NO_DES3 -#define NO_RC4 -#define NO_RABBIT #define NO_OLD_TLS -/* Allows of x509 certs (for wolfssl_get_verify_result function) */ -#define OPENSSL_EXTRA_X509_SMALL +#define HAVE_AESGCM -/* Only requires the peer certificate to validate to a trusted certificate. - * If peer sends additional certificates not in the chain they are allowed, - * but not trusted */ -#define WOLFSSL_ALT_CERT_CHAINS +/* Optional RIPEMD: RACE Integrity Primitives Evaluation Message Digest */ +/* #define WOLFSSL_RIPEMD */ -#define WOLFSSL_BASE64_ENCODE +/* when you want to use SHA224 */ +#define WOLFSSL_SHA224 -/* Static ciphers are highly discouraged */ -// #define WOLFSSL_STATIC_RSA -// #define WOLFSSL_STATIC_PSK -// #define WOLFSSL_STATIC_DH +/* when you want to use SHA384 */ +#define WOLFSSL_SHA384 -/* This enables the most common openssl compatibility layer API's */ -#define OPENSSL_EXTRA +/* Some features not enabled for ESP8266: */ +#if defined(CONFIG_IDF_TARGET_ESP8266) || \ + defined(CONFIG_IDF_TARGET_ESP32C2) + /* Some known low-memory devices have features not enabled by default. */ + /* TODO determine low memory configuration for ECC. */ +#else + /* when you want to use SHA512 */ + #define WOLFSSL_SHA512 -/* This enables all Openssl compatibility layer functions - * Note: this is large and cannot be used with NO_ASN_TIME */ -// #define OPENSSL_ALL + /* when you want to use SHA3 */ + #define WOLFSSL_SHA3 -/* Use smaller version of the certificate checking code */ -#define WOLFSSL_SMALL_CERT_VERIFY + /* ED25519 requires SHA512 */ + #define HAVE_ED25519 -/* Reduces the stack and session cache used by wolfssl */ -#define WOLFSSL_SMALL_STACK -#define SMALL_SESSION_CACHE + #define HAVE_ECC + #define HAVE_CURVE25519 + #define CURVE25519_SMALL + #define HAVE_ED25519 +#endif + +/* Optional OpenSSL compatibility */ +/* #define OPENSSL_EXTRA */ -/* when you want to use pkcs7 */ +/* #Optional HAVE_PKCS7 */ /* #define HAVE_PKCS7 */ #if defined(HAVE_PKCS7) + /* HAVE_PKCS7 may enable HAVE_PBKDF2 see settings.h */ + #define NO_PBKDF2 + #define HAVE_AES_KEYWRAP #define HAVE_X963_KDF #define WOLFSSL_AES_DIRECT #endif -/* when you want to use aes counter mode */ +/* when you want to use AES counter mode */ /* #define WOLFSSL_AES_DIRECT */ /* #define WOLFSSL_AES_COUNTER */ @@ -115,38 +356,507 @@ /* #define CUSTOM_SLOT_ALLOCATION */ #endif -/* rsa primitive specific definition */ -#if defined(WOLFSSL_ESPWROOM32) || defined(WOLFSSL_ESPWROOM32SE) - /* Define USE_FAST_MATH and SMALL_STACK */ - #define ESP32_USE_RSA_PRIMITIVE - /* threshold for performance adjustment for hw primitive use */ - /* X bits of G^X mod P greater than */ - #define EPS_RSA_EXPT_XBTIS 36 - /* X and Y of X * Y mod P greater than */ - #define ESP_RSA_MULM_BITS 2000 -#endif +/* WC_NO_CACHE_RESISTANT: slower but more secure */ +/* #define WC_NO_CACHE_RESISTANT */ + +/* TFM_TIMING_RESISTANT: slower but more secure */ +/* #define TFM_TIMING_RESISTANT */ -/* debug options */ -// #define DEBUG_WOLFSSL -// #define WOLFSSL_ESP32WROOM32_CRYPT_DEBUG -/* #define WOLFSSL_ATECC_DEBUG */ +/* #define WOLFSSL_ATECC508A_DEBUG */ /* date/time */ /* if it cannot adjust time in the device, */ /* enable macro below */ -#define NO_ASN_TIME -#define XTIME time -#define XGMTIME(c, t) gmtime((c)) +/* #define NO_ASN_TIME */ +/* #define XTIME time */ + + +/* adjust wait-timeout count if you see timeout in RSA HW acceleration */ +#define ESP_RSA_TIMEOUT_CNT 0x349F00 + +/* hash limit for test.c */ +#define HASH_SIZE_LIMIT + +/* USE_FAST_MATH is default */ +#define USE_FAST_MATH -/* when you want not to use HW acceleration */ -#if !defined(CONFIG_IDF_TARGET_ESP32) - #define NO_ESP32WROOM32_CRYPT +/***** Use SP_MATH *****/ +/* #undef USE_FAST_MATH */ +/* #define SP_MATH */ +/* #define WOLFSSL_SP_MATH_ALL */ +/* #define WOLFSSL_SP_RISCV32 */ + +/***** Use Integer Heap Math *****/ +/* #undef USE_FAST_MATH */ +/* #define USE_INTEGER_HEAP_MATH */ + +/* Just syntax highlighting to check math libraries: */ +#if defined(SP_MATH) || \ + defined(USE_INTEGER_HEAP_MATH) || \ + defined(USE_INTEGER_HEAP_MATH) || \ + defined(USE_FAST_MATH) || \ + defined(WOLFSSL_SP_MATH_ALL) || \ + defined(WOLFSSL_SP_RISCV32) #endif -/* Turn off the sha acceleration for esp32 */ -#define NO_WOLFSSL_ESP32WROOM32_CRYPT_HASH -/* #define NO_WOLFSSL_ESP32WROOM32_CRYPT_AES */ -/* #define NO_WOLFSSL_ESP32WROOM32_CRYPT_RSA_PRI */ +#define WOLFSSL_SMALL_STACK + + +#define HAVE_VERSION_EXTENDED_INFO +/* #define HAVE_WC_INTROSPECTION */ -/* adjust wait-timeout count if you see timeout in rsa hw acceleration */ -#define ESP_RSA_TIMEOUT_CNT 0x249F00 +#ifndef NO_SESSION_CACHE + #define HAVE_SESSION_TICKET +#endif + +/* #define HAVE_HASHDRBG */ + +#define WOLFSSL_KEY_GEN +#define WOLFSSL_CERT_REQ +#define WOLFSSL_CERT_GEN +#define WOLFSSL_CERT_EXT +#define WOLFSSL_SYS_CA_CERTS + + +#define WOLFSSL_CERT_TEXT + +#define WOLFSSL_ASN_TEMPLATE + +/* +#undef WOLFSSL_KEY_GEN +#undef WOLFSSL_CERT_REQ +#undef WOLFSSL_CERT_GEN +#undef WOLFSSL_CERT_EXT +#undef WOLFSSL_SYS_CA_CERTS +*/ + +/* command-line options +--enable-keygen +--enable-certgen +--enable-certreq +--enable-certext +--enable-asn-template +*/ + +/* Chipset detection from sdkconfig.h + * Default is HW enabled unless turned off. + * Uncomment lines to force SW instead of HW acceleration */ +#if defined(CONFIG_IDF_TARGET_ESP32) || defined(WOLFSSL_ESPWROOM32SE) + #define WOLFSSL_ESP32 + /* Alternatively, if there's an ECC Secure Element present: */ + /* #define WOLFSSL_ESPWROOM32SE */ + + /* wolfSSL HW Acceleration supported on ESP32. Uncomment to disable: */ + /* #define NO_ESP32_CRYPT */ + /* #define NO_WOLFSSL_ESP32_CRYPT_HASH */ + /* #define NO_WOLFSSL_ESP32_CRYPT_AES */ + /* #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI */ + /* #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI_MP_MUL */ + /* #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI_MULMOD */ + /* #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI_EXPTMOD */ + + /* These are defined automatically in esp32-crypt.h, here for clarity: */ + #define NO_WOLFSSL_ESP32_CRYPT_HASH_SHA224 /* no SHA224 HW on ESP32 */ + + #undef ESP_RSA_MULM_BITS + #define ESP_RSA_MULM_BITS 16 /* TODO add compile-time warning */ + /***** END CONFIG_IDF_TARGET_ESP32 *****/ + +#elif defined(CONFIG_IDF_TARGET_ESP32S2) + #define WOLFSSL_ESP32 + /* wolfSSL HW Acceleration supported on ESP32-S2. Uncomment to disable: */ + /* #define NO_ESP32_CRYPT */ + /* #define NO_WOLFSSL_ESP32_CRYPT_HASH */ + /* Note: There's no AES192 HW on the ESP32-S2; falls back to SW */ + /* #define NO_WOLFSSL_ESP32_CRYPT_AES */ + /* #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI */ + /* #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI_MP_MUL */ + /* #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI_MULMOD */ + /* #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI_EXPTMOD */ + /***** END CONFIG_IDF_TARGET_ESP32S2 *****/ + +#elif defined(CONFIG_IDF_TARGET_ESP32S3) + #define WOLFSSL_ESP32 + /* wolfSSL HW Acceleration supported on ESP32-S3. Uncomment to disable: */ + /* #define NO_ESP32_CRYPT */ + /* #define NO_WOLFSSL_ESP32_CRYPT_HASH */ + /* Note: There's no AES192 HW on the ESP32-S3; falls back to SW */ + /* #define NO_WOLFSSL_ESP32_CRYPT_AES */ + /* #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI */ + /* #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI_MP_MUL */ + /* #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI_MULMOD */ + /* #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI_EXPTMOD */ + /***** END CONFIG_IDF_TARGET_ESP32S3 *****/ + +#elif defined(CONFIG_IDF_TARGET_ESP32C2) || \ + defined(CONFIG_IDF_TARGET_ESP8684) + #define WOLFSSL_ESP32 + /* ESP8684 is essentially ESP32-C2 chip + flash embedded together in a + * single QFN 4x4 mm package. Out of released documentation, Technical + * Reference Manual as well as ESP-IDF Programming Guide is applicable + * to both ESP32-C2 and ESP8684. + * + * See: https://www.esp32.com/viewtopic.php?f=5&t=27926#:~:text=ESP8684%20is%20essentially%20ESP32%2DC2,both%20ESP32%2DC2%20and%20ESP8684. */ + + /* wolfSSL HW Acceleration supported on ESP32-C2. Uncomment to disable: */ + /* #define NO_ESP32_CRYPT */ + /* #define NO_WOLFSSL_ESP32_CRYPT_HASH */ /* to disable all SHA HW */ + + /* These are defined automatically in esp32-crypt.h, here for clarity */ + #define NO_WOLFSSL_ESP32_CRYPT_HASH_SHA384 /* no SHA384 HW on C2 */ + #define NO_WOLFSSL_ESP32_CRYPT_HASH_SHA512 /* no SHA512 HW on C2 */ + + /* There's no AES or RSA/Math accelerator on the ESP32-C2 + * Auto defined with NO_WOLFSSL_ESP32_CRYPT_RSA_PRI, for clarity: */ + #define NO_WOLFSSL_ESP32_CRYPT_AES + #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI + #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI_MP_MUL + #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI_MULMOD + #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI_EXPTMOD + /***** END CONFIG_IDF_TARGET_ESP32C2 *****/ + +#elif defined(CONFIG_IDF_TARGET_ESP32C3) + #define WOLFSSL_ESP32 + /* wolfSSL HW Acceleration supported on ESP32-C3. Uncomment to disable: */ + + /* #define NO_ESP32_CRYPT */ + /* #define NO_WOLFSSL_ESP32_CRYPT_HASH */ /* to disable all SHA HW */ + + /* These are defined automatically in esp32-crypt.h, here for clarity: */ + #define NO_WOLFSSL_ESP32_CRYPT_HASH_SHA384 /* no SHA384 HW on C6 */ + #define NO_WOLFSSL_ESP32_CRYPT_HASH_SHA512 /* no SHA512 HW on C6 */ + + /* #define NO_WOLFSSL_ESP32_CRYPT_AES */ + /* #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI */ + /* #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI_MP_MUL */ + /* #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI_MULMOD */ + /* #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI_EXPTMOD */ + /***** END CONFIG_IDF_TARGET_ESP32C3 *****/ + +#elif defined(CONFIG_IDF_TARGET_ESP32C6) + #define WOLFSSL_ESP32 + /* wolfSSL HW Acceleration supported on ESP32-C6. Uncomment to disable: */ + + /* #define NO_ESP32_CRYPT */ + /* #define NO_WOLFSSL_ESP32_CRYPT_HASH */ + /* These are defined automatically in esp32-crypt.h, here for clarity: */ + #define NO_WOLFSSL_ESP32_CRYPT_HASH_SHA384 /* no SHA384 HW on C6 */ + #define NO_WOLFSSL_ESP32_CRYPT_HASH_SHA512 /* no SHA512 HW on C6 */ + + /* #define NO_WOLFSSL_ESP32_CRYPT_AES */ + /* #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI */ + /* #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI_MP_MUL */ + /* #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI_MULMOD */ + /* #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI_EXPTMOD */ + /***** END CONFIG_IDF_TARGET_ESP32C6 *****/ + +#elif defined(CONFIG_IDF_TARGET_ESP32H2) + #define WOLFSSL_ESP32 + /* wolfSSL Hardware Acceleration not yet implemented */ + #define NO_ESP32_CRYPT + #define NO_WOLFSSL_ESP32_CRYPT_HASH + #define NO_WOLFSSL_ESP32_CRYPT_AES + #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI + /***** END CONFIG_IDF_TARGET_ESP32H2 *****/ + +#elif defined(CONFIG_IDF_TARGET_ESP8266) + #define WOLFSSL_ESP8266 + + /* There's no hardware encryption on the ESP8266 */ + /* Consider using the ESP32-C2/C3/C6 + * See https://www.espressif.com/en/products/socs/esp32-c2 */ + #define NO_ESP32_CRYPT + #define NO_WOLFSSL_ESP32_CRYPT_HASH + #define NO_WOLFSSL_ESP32_CRYPT_AES + #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI + /***** END CONFIG_IDF_TARGET_ESP266 *****/ + +#elif defined(CONFIG_IDF_TARGET_ESP8684) + /* There's no Hardware Acceleration available on ESP8684 */ + #define NO_ESP32_CRYPT + #define NO_WOLFSSL_ESP32_CRYPT_HASH + #define NO_WOLFSSL_ESP32_CRYPT_AES + #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI + /***** END CONFIG_IDF_TARGET_ESP8684 *****/ + +#else + /* Anything else encountered, disable HW accleration */ + #warning "Unexpected CONFIG_IDF_TARGET_NN value" + #define NO_ESP32_CRYPT + #define NO_WOLFSSL_ESP32_CRYPT_HASH + #define NO_WOLFSSL_ESP32_CRYPT_AES + #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI +#endif /* CONFIG_IDF_TARGET Check */ + +/* RSA primitive specific definition, listed AFTER the Chipset detection */ +#if defined(WOLFSSL_ESP32) || defined(WOLFSSL_ESPWROOM32SE) + /* Consider USE_FAST_MATH and SMALL_STACK */ + + #ifndef NO_RSA + #define ESP32_USE_RSA_PRIMITIVE + + #if defined(CONFIG_IDF_TARGET_ESP32) + #ifdef CONFIG_ESP_MAIN_TASK_STACK_SIZE + #if CONFIG_ESP_MAIN_TASK_STACK_SIZE < 10500 + #warning "RSA may be difficult with less than 10KB Stack "/ + #endif + #endif + + /* NOTE HW unreliable for small values! */ + /* threshold for performance adjustment for HW primitive use */ + /* X bits of G^X mod P greater than */ + #undef ESP_RSA_EXPT_XBITS + #define ESP_RSA_EXPT_XBITS 32 + + /* X and Y of X * Y mod P greater than */ + #undef ESP_RSA_MULM_BITS + #define ESP_RSA_MULM_BITS 16 + #endif + #endif +#endif + +/* Debug options: +See wolfssl/wolfcrypt/port/Espressif/esp32-crypt.h for details on debug options + +#define ESP_VERIFY_MEMBLOCK +#define DEBUG_WOLFSSL +#define DEBUG_WOLFSSL_VERBOSE +#define DEBUG_WOLFSSL_SHA_MUTEX +#define WOLFSSL_ESP32_CRYPT_DEBUG +#define WOLFSSL_ESP32_CRYPT_HASH_SHA224_DEBUG +#define NO_RECOVER_SOFTWARE_CALC +#define WOLFSSL_TEST_STRAY 1 +#define USE_ESP_DPORT_ACCESS_READ_BUFFER +#define WOLFSSL_ESP32_HW_LOCK_DEBUG +#define WOLFSSL_DEBUG_MUTEX +#define WOLFSSL_DEBUG_ESP_RSA_MULM_BITS +#define ESP_DISABLE_HW_TASK_LOCK +#define ESP_MONITOR_HW_TASK_LOCK +#define USE_ESP_DPORT_ACCESS_READ_BUFFER + +See wolfcrypt/benchmark/benchmark.c for debug and other settings: + +Turn on benchmark timing debugging (CPU Cycles, RTOS ticks, etc) +#define DEBUG_WOLFSSL_BENCHMARK_TIMING + +Turn on timer debugging (used when CPU cycles not available) +#define WOLFSSL_BENCHMARK_TIMER_DEBUG +*/ + +/* Pause in a loop rather than exit. */ +/* #define WOLFSSL_ESPIDF_ERROR_PAUSE */ +/* #define WOLFSSL_ESP32_HW_LOCK_DEBUG */ + +#define WOLFSSL_HW_METRICS + +/* for test.c */ +/* #define HASH_SIZE_LIMIT */ + +/* Optionally turn off HW math checks */ +/* #define NO_HW_MATH_TEST */ + +/* Optionally include alternate HW test library: alt_hw_test.h */ +/* When enabling, the ./components/wolfssl/CMakeLists.txt file + * will need the name of the library in the idf_component_register + * for the PRIV_REQUIRES list. */ +/* #define INCLUDE_ALT_HW_TEST */ + +/* optionally turn off individual math HW acceleration features */ + +/* Turn off Large Number ESP32 HW Multiplication: +** [Z = X * Y] in esp_mp_mul() */ +/* #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI_MP_MUL */ + +/* Turn off Large Number ESP32 HW Modular Exponentiation: +** [Z = X^Y mod M] in esp_mp_exptmod() */ +/* #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI_EXPTMOD */ + +/* Turn off Large Number ESP32 HW Modular Multiplication +** [Z = X * Y mod M] in esp_mp_mulmod() */ +/* #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI_MULMOD */ + + +/* used by benchmark: */ +#define WOLFSSL_PUBLIC_MP + +/* when turning on ECC508 / ECC608 support +#define WOLFSSL_ESPWROOM32SE +#define HAVE_PK_CALLBACKS +#define WOLFSSL_ATECC508A +#define ATCA_WOLFSSL +*/ + +/***************************** Certificate Macros ***************************** + * + * The section below defines macros used in typically all of the wolfSSL + * examples such as the client and server for certs stored in header files. + * + * There are various certificate examples in this header file: + * https://github.com/wolfSSL/wolfssl/blob/master/wolfssl/certs_test.h + * + * To use the sets of macros below, define *one* of these: + * + * USE_CERT_BUFFERS_1024 - ECC 1024 bit encoded ASN1 + * USE_CERT_BUFFERS_2048 - RSA 2048 bit encoded ASN1 + * WOLFSSL_SM[2,3,4] - SM Ciphers + * + * For example: define USE_CERT_BUFFERS_2048 to use CA Certs used in this + * wolfSSL function for the `ca_cert_der_2048` buffer, size and types: + * + * ret = wolfSSL_CTX_load_verify_buffer(ctx, + * CTX_CA_CERT, + * CTX_CA_CERT_SIZE, + * CTX_CA_CERT_TYPE); + * + * See https://www.wolfssl.com/documentation/manuals/wolfssl/group__CertsKeys.html#function-wolfssl_ctx_load_verify_buffer + * + * In this case the CTX_CA_CERT will be defined as `ca_cert_der_2048` as + * defined here: https://github.com/wolfSSL/wolfssl/blob/master/wolfssl/certs_test.h + * + * The CTX_CA_CERT_SIZE and CTX_CA_CERT_TYPE are similarly used to reference + * array size and cert type respectively. + * + * Similarly for loading the private client key: + * + * ret = wolfSSL_CTX_use_PrivateKey_buffer(ctx, + * CTX_CLIENT_KEY, + * CTX_CLIENT_KEY_SIZE, + * CTX_CLIENT_KEY_TYPE); + * + * see https://www.wolfssl.com/documentation/manuals/wolfssl/group__CertsKeys.html#function-wolfssl_ctx_use_privatekey_buffer + * + * Similarly, the other macros are for server certificates and keys: + * `CTX_SERVER_CERT` and `CTX_SERVER_KEY` are available. + * + * The certificate and key names are typically `static const unsigned char` + * arrays. The [NAME]_size are typically `sizeof([array name])`, and the types + * are the known wolfSSL encoding type integers (e.g. WOLFSSL_FILETYPE_PEM). + * + * See `SSL_FILETYPE_[name]` in + * https://github.com/wolfSSL/wolfssl/blob/master/wolfssl/ssl.h + * + * See Abstract Syntax Notation One (ASN.1) in: + * https://github.com/wolfSSL/wolfssl/blob/master/wolfssl/wolfcrypt/asn.h + * + * Optional SM4 Ciphers: + * + * Although the SM ciphers are shown here, the `certs_test_sm.h` may not yet + * be available. See: + * https://github.com/wolfSSL/wolfssl/pull/6825 + * https://github.com/wolfSSL/wolfsm + * + * Uncomment these 3 macros to enable the SM Ciphers and use the macros below. + */ + +/* +#define WOLFSSL_SM2 +#define WOLFSSL_SM3 +#define WOLFSSL_SM4 +*/ + +/* Conditional macros used in wolfSSL TLS client and server examples */ +#if defined(WOLFSSL_SM2) || defined(WOLFSSL_SM3) || defined(WOLFSSL_SM4) + #include + #define CTX_CA_CERT root_sm2 + #define CTX_CA_CERT_SIZE sizeof_root_sm2 + #define CTX_CA_CERT_TYPE WOLFSSL_FILETYPE_PEM + #define CTX_SERVER_CERT server_sm2 + #define CTX_SERVER_CERT_SIZE sizeof_server_sm2 + #define CTX_SERVER_CERT_TYPE WOLFSSL_FILETYPE_PEM + #define CTX_SERVER_KEY server_sm2_priv + #define CTX_SERVER_KEY_SIZE sizeof_server_sm2_priv + #define CTX_SERVER_KEY_TYPE WOLFSSL_FILETYPE_PEM + + #undef WOLFSSL_BASE16 + #define WOLFSSL_BASE16 +#else + #if defined(USE_CERT_BUFFERS_2048) + #define USE_CERT_BUFFERS_256 + /* Be sure to include in app when using example certs: */ + /* #include */ + #define CTX_CA_CERT ca_cert_der_2048 + #define CTX_CA_CERT_SIZE sizeof_ca_cert_der_2048 + #define CTX_CA_CERT_TYPE WOLFSSL_FILETYPE_ASN1 + + #define CTX_SERVER_CERT server_cert_der_2048 + #define CTX_SERVER_CERT_SIZE sizeof_server_cert_der_2048 + #define CTX_SERVER_CERT_TYPE WOLFSSL_FILETYPE_ASN1 + #define CTX_SERVER_KEY server_key_der_2048 + #define CTX_SERVER_KEY_SIZE sizeof_server_key_der_2048 + #define CTX_SERVER_KEY_TYPE WOLFSSL_FILETYPE_ASN1 + + #define CTX_CLIENT_CERT client_cert_der_2048 + #define CTX_CLIENT_CERT_SIZE sizeof_client_cert_der_2048 + #define CTX_CLIENT_CERT_TYPE WOLFSSL_FILETYPE_ASN1 + #define CTX_CLIENT_KEY client_key_der_2048 + #define CTX_CLIENT_KEY_SIZE sizeof_client_key_der_2048 + #define CTX_CLIENT_KEY_TYPE WOLFSSL_FILETYPE_ASN1 + + #elif defined(USE_CERT_BUFFERS_1024) + #define USE_CERT_BUFFERS_256 + /* Be sure to include in app when using example certs: */ + /* #include */ + #define CTX_CA_CERT ca_cert_der_1024 + #define CTX_CA_CERT_SIZE sizeof_ca_cert_der_1024 + #define CTX_CA_CERT_TYPE WOLFSSL_FILETYPE_ASN1 + + #define CTX_CLIENT_CERT client_cert_der_1024 + #define CTX_CLIENT_CERT_SIZE sizeof_client_cert_der_1024 + #define CTX_CLIENT_CERT_TYPE WOLFSSL_FILETYPE_ASN1 + #define CTX_CLIENT_KEY client_key_der_1024 + #define CTX_CLIENT_KEY_SIZE sizeof_client_key_der_1024 + #define CTX_CLIENT_KEY_TYPE WOLFSSL_FILETYPE_ASN1 + + #define CTX_SERVER_CERT server_cert_der_1024 + #define CTX_SERVER_CERT_SIZE sizeof_server_cert_der_1024 + #define CTX_SERVER_CERT_TYPE WOLFSSL_FILETYPE_ASN1 + #define CTX_SERVER_KEY server_key_der_1024 + #define CTX_SERVER_KEY_SIZE sizeof_server_key_der_1024 + #define CTX_SERVER_KEY_TYPE WOLFSSL_FILETYPE_ASN1 + #else + /* Optionally define custom cert arrays, sizes, and types here */ + #error "Must define USE_CERT_BUFFERS_2048 or USE_CERT_BUFFERS_1024" + #endif +#endif /* Conditional key and cert constant names */ + +/* See settings.h for some of the possible hardening options: + * + * #define NO_ESPIDF_DEFAULT + * #define WC_NO_CACHE_RESISTANT + * #define WC_AES_BITSLICED + * #define HAVE_AES_ECB + * #define HAVE_AES_DIRECT + */ + +/***********************************************************************************/ + +/** Enable SNI (TLS Server Name Indication) + */ +#define HAVE_SNI +#if defined(HAVE_SNI) + #define HAVE_ALPN +#endif + +/** Optionally enable OCSPv1 + */ +#ifdef CONFIG_WOLFSSL_HAVE_OCSP + #define HAVE_OCSP + #define HAVE_CERTIFICATE_STATUS_REQUEST +#endif + +/** Enable PKCS7 certificate parser with BER support + */ +#define HAVE_PKCS7 +#if defined(HAVE_PKCS7) + #define HAVE_AES_KEYWRAP + #define HAVE_X963_KDF + #define WOLFSSL_AES_DIRECT + #define WOLFSSL_ASN_TEMPLATE + #define NO_PKCS7_STREAM + #define ASN_BER_TO_DER +#endif + +/* Only requires the peer certificate to validate to a trusted certificate. + * If peer sends additional certificates not in the chain they are allowed, + * but not trusted */ +// #define WOLFSSL_ALT_CERT_CHAINS diff --git a/wolfssl b/wolfssl index 57aac1c..00e4215 160000 --- a/wolfssl +++ b/wolfssl @@ -1 +1 @@ -Subproject commit 57aac1c50b45275c7a99eca32ad985998b292dc8 +Subproject commit 00e42151ca061463ba6a95adb2290f678cbca472 From 5cc95fd79b8d1ee325b023c0ff23f7b97559bd76 Mon Sep 17 00:00:00 2001 From: Frank Mertens Date: Thu, 1 Aug 2024 00:41:27 +0200 Subject: [PATCH 02/11] Tuned user_settings.h for the ESP32 environment --- port/user_settings.h | 33 ++++++++++++++++++++++++++------- 1 file changed, 26 insertions(+), 7 deletions(-) diff --git a/port/user_settings.h b/port/user_settings.h index 0aa624c..db46196 100755 --- a/port/user_settings.h +++ b/port/user_settings.h @@ -335,7 +335,7 @@ #if defined(HAVE_PKCS7) /* HAVE_PKCS7 may enable HAVE_PBKDF2 see settings.h */ - #define NO_PBKDF2 + // #define NO_PBKDF2 #define HAVE_AES_KEYWRAP #define HAVE_X963_KDF @@ -367,8 +367,8 @@ /* date/time */ /* if it cannot adjust time in the device, */ /* enable macro below */ -/* #define NO_ASN_TIME */ -/* #define XTIME time */ +#define NO_ASN_TIME +// #define XTIME time /* adjust wait-timeout count if you see timeout in RSA HW acceleration */ @@ -856,7 +856,26 @@ Turn on timer debugging (used when CPU cycles not available) #define ASN_BER_TO_DER #endif -/* Only requires the peer certificate to validate to a trusted certificate. - * If peer sends additional certificates not in the chain they are allowed, - * but not trusted */ -// #define WOLFSSL_ALT_CERT_CHAINS +/** Only requires the peer certificate to validate to a trusted certificate. + * If peer sends additional certificates not in the chain they are allowed, + * but not trusted + */ +#define WOLFSSL_ALT_CERT_CHAINS + +/** Use smaller version of the certificate checking code + */ +#define WOLFSSL_SMALL_CERT_VERIFY + +/** Enable Base-64 encoding + */ +#define WOLFSSL_BASE64_ENCODE + +/** Disable troublesome SHA acceleration + */ +#define NO_WOLFSSL_ESP32_CRYPT_HASH + +/** Compile-fix + */ +#if !defined(SINGLE_THREADED) + #include +#endif From d727eeb171dc5569a494b16edc34b1877da6f36c Mon Sep 17 00:00:00 2001 From: Frank Mertens Date: Thu, 1 Aug 2024 02:54:32 +0200 Subject: [PATCH 03/11] Added example and benchmark applications --- CMakeLists.txt | 3 + examples/README.md | 30 -- examples/https_request/CMakeLists.txt | 10 - examples/https_request/Makefile | 10 - examples/https_request/README.md | 5 - examples/https_request/main/CMakeLists.txt | 6 - examples/https_request/main/component.mk | 10 - .../main/https_request_example_main.c | 181 ---------- .../https_request/main/server_root_cert.pem | 24 -- examples/https_request/sdkconfig.defaults | 1 - examples/wolfssl_benchmark/CMakeLists.txt | 41 +++ examples/wolfssl_benchmark/README.md | 265 ++++++++++++++ .../wolfssl_benchmark/main/CMakeLists.txt | 76 ++++ .../wolfssl_benchmark/main/Kconfig.projbuild | 29 ++ .../wolfssl_benchmark/main/idf_component.yml | 5 + .../wolfssl_benchmark/main/include/main.h | 30 ++ examples/wolfssl_benchmark/main/main.c | 336 ++++++++++++++++++ examples/wolfssl_benchmark/sdkconfig.defaults | 97 +++++ examples/wolfssl_client/CMakeLists.txt | 6 - examples/wolfssl_client/Makefile | 12 - examples/wolfssl_client/README.md | 6 - examples/wolfssl_client/main/CMakeLists.txt | 5 - .../wolfssl_client/main/Kconfig.projbuild | 9 - examples/wolfssl_client/main/component.mk | 5 - .../wolfssl_client/main/server_root_cert.pem | 24 -- .../wolfssl_client/main/wolfssl_client_demo.c | 274 -------------- examples/wolfssl_test/CMakeLists.txt | 15 + examples/wolfssl_test/README.md | 175 +++++++++ examples/wolfssl_test/main/CMakeLists.txt | 9 + examples/wolfssl_test/main/Kconfig.projbuild | 29 ++ examples/wolfssl_test/main/idf_component.yml | 5 + examples/wolfssl_test/main/include/main.h | 24 ++ examples/wolfssl_test/main/main.c | 290 +++++++++++++++ .../partitions_singleapp_large.csv | 34 ++ examples/wolfssl_test/sdkconfig.defaults | 98 +++++ port/user_settings.h | 4 + 36 files changed, 1565 insertions(+), 618 deletions(-) delete mode 100644 examples/README.md delete mode 100644 examples/https_request/CMakeLists.txt delete mode 100644 examples/https_request/Makefile delete mode 100644 examples/https_request/README.md delete mode 100644 examples/https_request/main/CMakeLists.txt delete mode 100644 examples/https_request/main/component.mk delete mode 100644 examples/https_request/main/https_request_example_main.c delete mode 100644 examples/https_request/main/server_root_cert.pem delete mode 100644 examples/https_request/sdkconfig.defaults create mode 100644 examples/wolfssl_benchmark/CMakeLists.txt create mode 100644 examples/wolfssl_benchmark/README.md create mode 100644 examples/wolfssl_benchmark/main/CMakeLists.txt create mode 100644 examples/wolfssl_benchmark/main/Kconfig.projbuild create mode 100644 examples/wolfssl_benchmark/main/idf_component.yml create mode 100644 examples/wolfssl_benchmark/main/include/main.h create mode 100644 examples/wolfssl_benchmark/main/main.c create mode 100644 examples/wolfssl_benchmark/sdkconfig.defaults delete mode 100644 examples/wolfssl_client/CMakeLists.txt delete mode 100755 examples/wolfssl_client/Makefile delete mode 100644 examples/wolfssl_client/README.md delete mode 100644 examples/wolfssl_client/main/CMakeLists.txt delete mode 100644 examples/wolfssl_client/main/Kconfig.projbuild delete mode 100644 examples/wolfssl_client/main/component.mk delete mode 100644 examples/wolfssl_client/main/server_root_cert.pem delete mode 100644 examples/wolfssl_client/main/wolfssl_client_demo.c create mode 100644 examples/wolfssl_test/CMakeLists.txt create mode 100644 examples/wolfssl_test/README.md create mode 100644 examples/wolfssl_test/main/CMakeLists.txt create mode 100644 examples/wolfssl_test/main/Kconfig.projbuild create mode 100644 examples/wolfssl_test/main/idf_component.yml create mode 100755 examples/wolfssl_test/main/include/main.h create mode 100644 examples/wolfssl_test/main/main.c create mode 100644 examples/wolfssl_test/partitions_singleapp_large.csv create mode 100644 examples/wolfssl_test/sdkconfig.defaults diff --git a/CMakeLists.txt b/CMakeLists.txt index 73e1345..6be9451 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -135,6 +135,9 @@ idf_component_register( "wolfssl/wolfcrypt/src/port/Espressif/esp_sdk_time_lib.c" "wolfssl/wolfcrypt/src/port/Espressif/esp_sdk_wifi_lib.c" + "wolfssl/wolfcrypt/test/test.c" + "wolfssl/wolfcrypt/benchmark/benchmark.c" + INCLUDE_DIRS "${CMAKE_CURRENT_LIST_DIR}/port" "${CMAKE_CURRENT_SOURCE_DIR}" diff --git a/examples/README.md b/examples/README.md deleted file mode 100644 index bc0618d..0000000 --- a/examples/README.md +++ /dev/null @@ -1,30 +0,0 @@ -# Examples - -## Establishing Wi-Fi or Ethernet Connection - -### About the `example_connect()` Function - -Protocols examples use a simple helper function, `example_connect()`, to establish Wi-Fi or Ethernet connection. This function is implemented in [examples/common_components/protocol_examples/common/connect.c](../common_components/protocol_examples_common/connect.c), and has a very simple behavior: block until connection is established and IP address is obtained, then return. This function is used to reduce the amount of boilerplate and to keep the example code focused on the protocol or library being demonstrated. - -The simple `example_connect()` function does not handle timeouts, does not gracefully handle various error conditions, and is only suited for use in examples. When developing real applications, this helper function needs to be replaced with full Wi-Fi / Ethernet connection handling code. Such code can be found in [examples/wifi/getting_started/](../wifi/getting_started) and [examples/ethernet/basic/](../ethernet/basic) examples. - -### Configuring the Example - -To configure the example to use Wi-Fi or Ethernet connection, open the project configuration menu (`idf.py menuconfig`) and navigate to "Example Connection Configuration" menu. Select either "Wi-Fi" or "Ethernet" in the "Connect using" choice. - -When connecting using Wi-Fi, enter SSID and password of your Wi-Fi access point into the corresponding fields. If connecting to an open Wi-Fi network, keep the password field empty. - -When connecting using Ethernet, set up PHY type and configuration in the provided fields. If using Ethernet for the first time, it is recommended to start with the [Ethernet example readme](../ethernet/basic/README.md), which contains instructions for connecting and configuring the PHY. Once Ethernet example obtains IP address successfully, proceed to the protocols example and set the same configuration options. - -### Disabling IPv6 - -By default, `example_connect()` function waits until Wi-Fi or Ethernet connection is established, and IPv4 address and IPv6 link-local address are obtained. In network environments where IPv6 link-local address cannot be obtained, disable "Obtain IPv6 link-local address" option found in "Example Connection Configuration" menu. - -### Building the example -- execute `idf.py build` or `make` in the terminal (inside project directory). - -### Flash and monitor -- execute `idf.py flash monitor` or `make flash monitor` to flash the binary onto the chip and monitor the results - -### Options (Debugging and more) -- Please refer README file in Parent directory esp-wolfssl diff --git a/examples/https_request/CMakeLists.txt b/examples/https_request/CMakeLists.txt deleted file mode 100644 index 3fa9da4..0000000 --- a/examples/https_request/CMakeLists.txt +++ /dev/null @@ -1,10 +0,0 @@ -# The following five lines of boilerplate have to be in your project's -# CMakeLists in this exact order for cmake to work correctly -cmake_minimum_required(VERSION 3.5) - -# (Not part of the boilerplate) -# This example uses an extra component for common functions such as Wi-Fi and Ethernet connection. -set(EXTRA_COMPONENT_DIRS $ENV{IDF_PATH}/examples/common_components/protocol_examples_common "../../") - -include($ENV{IDF_PATH}/tools/cmake/project.cmake) -project(https_request) diff --git a/examples/https_request/Makefile b/examples/https_request/Makefile deleted file mode 100644 index dbe9a20..0000000 --- a/examples/https_request/Makefile +++ /dev/null @@ -1,10 +0,0 @@ -# -# This is a project Makefile. It is assumed the directory this Makefile resides in is a -# project subdirectory. -# - -PROJECT_NAME := https_request - -EXTRA_COMPONENT_DIRS := $(realpath ../..) -EXTRA_COMPONENT_DIRS += $(IDF_PATH)/examples/common_components/protocol_examples_common -include $(IDF_PATH)/make/project.mk diff --git a/examples/https_request/README.md b/examples/https_request/README.md deleted file mode 100644 index 7b158b6..0000000 --- a/examples/https_request/README.md +++ /dev/null @@ -1,5 +0,0 @@ -# HTTPS Request Example - -Uses APIs from `esp-tls` component to make a very simple HTTPS request over a secure connection, including verifying the server TLS certificate. - -See the README.md file in the upper level 'examples' directory for more information about examples. diff --git a/examples/https_request/main/CMakeLists.txt b/examples/https_request/main/CMakeLists.txt deleted file mode 100644 index 5501a68..0000000 --- a/examples/https_request/main/CMakeLists.txt +++ /dev/null @@ -1,6 +0,0 @@ -# Embed the server root certificate into the final binary -# -# (If this was a component, we would set COMPONENT_EMBED_TXTFILES here.) -idf_component_register(SRCS "https_request_example_main.c" - INCLUDE_DIRS "." - EMBED_TXTFILES server_root_cert.pem) \ No newline at end of file diff --git a/examples/https_request/main/component.mk b/examples/https_request/main/component.mk deleted file mode 100644 index 818e2a1..0000000 --- a/examples/https_request/main/component.mk +++ /dev/null @@ -1,10 +0,0 @@ -# -# "main" pseudo-component makefile. -# -# (Uses default behaviour of compiling all source files in directory, adding 'include' to include path.) - -# embed files from the "certs" directory as binary data symbols -# in the app -COMPONENT_EMBED_TXTFILES := server_root_cert.pem - - diff --git a/examples/https_request/main/https_request_example_main.c b/examples/https_request/main/https_request_example_main.c deleted file mode 100644 index efbaf32..0000000 --- a/examples/https_request/main/https_request_example_main.c +++ /dev/null @@ -1,181 +0,0 @@ -/* HTTPS GET Example using plain mbedTLS sockets - * - * Contacts the howsmyssl.com API via TLS v1.2 and reads a JSON - * response. - * - * Adapted from the ssl_client1 example in mbedtls. - * - * Original Copyright (C) 2006-2016, ARM Limited, All Rights Reserved, Apache 2.0 License. - * Additions Copyright (C) Copyright 2015-2016 Espressif Systems (Shanghai) PTE LTD, Apache 2.0 License. - * - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -#include -#include -#include "freertos/FreeRTOS.h" -#include "freertos/task.h" -#include "freertos/event_groups.h" -#include "esp_wifi.h" -#include "esp_event.h" -#include "esp_log.h" -#include "esp_system.h" -#include "nvs_flash.h" -#include "protocol_examples_common.h" -#include "esp_netif.h" - -#include "lwip/err.h" -#include "lwip/sockets.h" -#include "lwip/sys.h" -#include "lwip/netdb.h" -#include "lwip/dns.h" - -#include "esp_tls.h" - -/* Constants that aren't configurable in menuconfig */ -#define WEB_SERVER "api.github.com" -#define WEB_PORT (443) -#define WEB_URL "https://api.github.com/zen" - -static const char *TAG = "example"; - -static const char *REQUEST = "GET " WEB_URL " HTTP/1.0\r\n" - "Host: "WEB_SERVER"\r\n" - "User-Agent: esp-idf/1.0 esp32\r\n" - "\r\n"; - -/* Root cert for api.github.com, taken from server_root_cert.pem - - The PEM file was extracted from the output of this command: - openssl s_client -showcerts -connect www.api.github.com:443 = ESP_IDF_VERSION_VAL(5, 0, 0) - tls = esp_tls_init(); - if (!tls) { - ESP_LOGE(TAG, "Failed to allocate esp_tls handle!"); - goto exit; - } - - if (esp_tls_conn_http_new_sync(WEB_URL, &cfg, tls) == 1) { - ESP_LOGI(TAG, "Connection established..."); - } else { - ESP_LOGE(TAG, "Connection failed..."); - goto cleanup; - } -#else // ESP_IDF_VERSION >= ESP_IDF_VERSION_VAL(5, 0, 0) - tls = esp_tls_conn_http_new(WEB_URL, &cfg); - if (tls != NULL) { - ESP_LOGI(TAG, "Connection established..."); - } else { - ESP_LOGE(TAG, "Connection failed..."); - goto exit; - } -#endif //ESP_IDF_VERSION >= ESP_IDF_VERSION_VAL(5, 0, 0) - - size_t written_bytes = 0; - do { - ret = esp_tls_conn_write(tls, - REQUEST + written_bytes, - strlen(REQUEST) - written_bytes); - if (ret >= 0) { - ESP_LOGI(TAG, "%d bytes written", ret); - written_bytes += ret; - } else if (ret != ESP_TLS_ERR_SSL_WANT_READ && ret != ESP_TLS_ERR_SSL_WANT_WRITE) { - ESP_LOGE(TAG, "esp_tls_conn_write returned 0x%x", ret); - goto cleanup; - } - } while (written_bytes < strlen(REQUEST)); - - ESP_LOGI(TAG, "Reading HTTP response..."); - - do { - len = sizeof(buf) - 1; - memset(buf, 0x00, sizeof(buf)); - - ret = esp_tls_conn_read(tls, (char *)buf, len); - if (ret == ESP_TLS_ERR_SSL_WANT_WRITE || ret == ESP_TLS_ERR_SSL_WANT_READ) { - continue; - } else if (ret < 0) { - ESP_LOGE(TAG, "esp_tls_conn_read returned -0x%x", -ret); - break; - } else if (ret == 0) { - ESP_LOGI(TAG, "connection closed"); - break; - } - - len = ret; - ESP_LOGD(TAG, "%d bytes read", len); - /* Print response directly to stdout as it is read */ - for (int i = 0; i < len; i++) { - putchar(buf[i]); - } - putchar('\n'); // JSON output doesn't have a newline at end - } while (1); - -cleanup: - esp_tls_conn_destroy(tls); -exit:; - static int request_count = 0; - ESP_LOGI(TAG, "Completed %d requests", ++request_count); - - for (int countdown = 10; countdown >= 0; countdown--) { - ESP_LOGI(TAG, "%d...", countdown); - vTaskDelay(1000 / portTICK_PERIOD_MS); - } - ESP_LOGI(TAG, "Starting again!"); - } -} - -void app_main(void) -{ - ESP_ERROR_CHECK(nvs_flash_init()); - ESP_ERROR_CHECK(esp_netif_init()); - ESP_ERROR_CHECK(esp_event_loop_create_default()); - - /* This helper function configures Wi-Fi or Ethernet, as selected in menuconfig. - * Read "Establishing Wi-Fi or Ethernet Connection" section in - * examples/protocols/README.md for more information about this function. - */ - ESP_ERROR_CHECK(example_connect()); - - xTaskCreate(&https_get_task, "https_get_task", 8192, NULL, 5, NULL); -} diff --git a/examples/https_request/main/server_root_cert.pem b/examples/https_request/main/server_root_cert.pem deleted file mode 100644 index e3cbad9..0000000 --- a/examples/https_request/main/server_root_cert.pem +++ /dev/null @@ -1,24 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIEFzCCAv+gAwIBAgIQB/LzXIeod6967+lHmTUlvTANBgkqhkiG9w0BAQwFADBh -MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3 -d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD -QTAeFw0yMTA0MTQwMDAwMDBaFw0zMTA0MTMyMzU5NTlaMFYxCzAJBgNVBAYTAlVT -MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxMDAuBgNVBAMTJ0RpZ2lDZXJ0IFRMUyBI -eWJyaWQgRUNDIFNIQTM4NCAyMDIwIENBMTB2MBAGByqGSM49AgEGBSuBBAAiA2IA -BMEbxppbmNmkKaDp1AS12+umsmxVwP/tmMZJLwYnUcu/cMEFesOxnYeJuq20ExfJ -qLSDyLiQ0cx0NTY8g3KwtdD3ImnI8YDEe0CPz2iHJlw5ifFNkU3aiYvkA8ND5b8v -c6OCAYIwggF+MBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFAq8CCkXjKU5 -bXoOzjPHLrPt+8N6MB8GA1UdIwQYMBaAFAPeUDVW0Uy7ZvCj4hsbw5eyPdFVMA4G -A1UdDwEB/wQEAwIBhjAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwdgYI -KwYBBQUHAQEEajBoMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5j -b20wQAYIKwYBBQUHMAKGNGh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdp -Q2VydEdsb2JhbFJvb3RDQS5jcnQwQgYDVR0fBDswOTA3oDWgM4YxaHR0cDovL2Ny -bDMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0R2xvYmFsUm9vdENBLmNybDA9BgNVHSAE -NjA0MAsGCWCGSAGG/WwCATAHBgVngQwBATAIBgZngQwBAgEwCAYGZ4EMAQICMAgG -BmeBDAECAzANBgkqhkiG9w0BAQwFAAOCAQEAR1mBf9QbH7Bx9phdGLqYR5iwfnYr -6v8ai6wms0KNMeZK6BnQ79oU59cUkqGS8qcuLa/7Hfb7U7CKP/zYFgrpsC62pQsY -kDUmotr2qLcy/JUjS8ZFucTP5Hzu5sn4kL1y45nDHQsFfGqXbbKrAjbYwrwsAZI/ -BKOLdRHHuSm8EdCGupK8JvllyDfNJvaGEwwEqonleLHBTnm8dqMLUeTF0J5q/hos -Vq4GNiejcxwIfZMy0MJEGdqN9A57HSgDKwmKdsp33Id6rHtSJlWncg+d0ohP/rEh -xRqhqjn1VtvChMQ1H3Dau0bwhr9kAMQ+959GG50jBbl9s08PqUU643QwmA== ------END CERTIFICATE----- diff --git a/examples/https_request/sdkconfig.defaults b/examples/https_request/sdkconfig.defaults deleted file mode 100644 index 41b881e..0000000 --- a/examples/https_request/sdkconfig.defaults +++ /dev/null @@ -1 +0,0 @@ -CONFIG_ESP_TLS_USING_WOLFSSL=y diff --git a/examples/wolfssl_benchmark/CMakeLists.txt b/examples/wolfssl_benchmark/CMakeLists.txt new file mode 100644 index 0000000..8c66ae2 --- /dev/null +++ b/examples/wolfssl_benchmark/CMakeLists.txt @@ -0,0 +1,41 @@ +# wolfSSL Espressif Example Project CMakeLists.txt +# v1.0 +# +# The following lines of boilerplate have to be in your project's +# CMakeLists in this exact order for cmake to work correctly +cmake_minimum_required(VERSION 3.16) + +add_compile_options(-DWOLFSSL_ESP_NO_WATCHDOG=1) +# The wolfSSL CMake file should be able to find the source code. +# Otherwise, assign an environment variable or set it here: +# +# set(WOLFSSL_ROOT "~/workspace/wolfssl-other-source") +# +# Optional WOLFSSL_CMAKE_SYSTEM_NAME detection to find +# USE_MY_PRIVATE_CONFIG path for my_private_config.h +# +# Expected path varies: +# +# WSL: /mnt/c/workspace +# Linux: ~/workspace +# Windows: C:\workspace +# + +# Optionally specify a location for wolfSSL component source code +# set(WOLFSSL_ROOT "c:/mydir/wolfssl" ) +# This example uses an extra component for common functions such as Wi-Fi and Ethernet connection. +# set (PROTOCOL_EXAMPLES_DIR $ENV{IDF_PATH}/examples/common_components/protocol_examples_common) +# +#if (EXISTS "${PROTOCOL_EXAMPLES_DIR}") +# message("Found PROTOCOL_EXAMPLES_DIR=${PROTOCOL_EXAMPLES_DIR}") +# set(EXTRA_COMPONENT_DIRS $ENV{IDF_PATH}/examples/common_components/protocol_examples_common) +# set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DFOUND_PROTOCOL_EXAMPLES_DIR") +#else() +# message("NOT FOUND: PROTOCOL_EXAMPLES_DIR=${PROTOCOL_EXAMPLES_DIR}") +#endif() + +# Not only is a project-level "set(COMPONENTS" not needed here, this will cause +# an unintuitive error about Unknown CMake command "esptool_py_flash_project_args". +include($ENV{IDF_PATH}/tools/cmake/project.cmake) + +project(wolfssl_benchmark) diff --git a/examples/wolfssl_benchmark/README.md b/examples/wolfssl_benchmark/README.md new file mode 100644 index 0000000..7b3a4f2 --- /dev/null +++ b/examples/wolfssl_benchmark/README.md @@ -0,0 +1,265 @@ +# wolfSSL Benchmark Example + +This ESP32 example uses the [wolfSSL wolfcrypt Benchmark Application](https://github.com/wolfSSL/wolfssl/tree/master/wolfcrypt/benchmark). + +For general information on [wolfSSL examples for Espressif](../README.md), see the +[README](https://github.com/wolfSSL/wolfssl/blob/master/IDE/Espressif/ESP-IDF/README.md) file. + +## Espressif ESP Component Registry + +See the wolfSSL namespace at [components.espressif.com](https://components.espressif.com/components?q=wolfssl) + + +## Windows COM Port + +All of these examples use COM20 on Windows. The DOS `change port` command can be use to assign any +other local port to `COM20` as needed: + +``` +change port com20=com23 +``` + +## Bulk Testing + +If you have a test jig with multiple ESP32 devices and you'd like to run this wolfcrypt benchmark on all of them, check out +the `testAll.sh` and `testMonitor.sh` scripts in the [../wolfssl_test](../wolfssl_test/README.md) directory. Copy those +bash script files to this project. See the `esp32[NN]_PORT` and `esp32[NN]_PUTTY` settings in `testMonitor.sh` that will +be machine-specific. + +## VisualGDB + +Open the VisualGDB Visual Studio Project file in the VisualGDB directory and click the "Start" button. +No wolfSSL setup is needed. You may need to adjust your specific COM port. The default is `COM20`. + +Include in the respective project `./VisualGDB` directory are [VisualGDB](https://visualgdb.com/) project files. +Individual project files are included for convenience to new users, +as there are [difficulties switching between ESP-IDF Versions or Chipsets](https://sysprogs.com/w/forums/topic/difficulties-switching-espressif-esp-idf-version-or-chipset/) +using the VisualGDB extension. + +The naming convention for project files is: `[project name]_IDF_[Version]_[chipset].vgdbproj`. The solution files (filename[.sln]) often will contain shortcuts to commonly used source and configuration files used by the respective project. + + +-------- |------------- |------------- | +ChipSet | ESP-IDF v4.4 | ESP-IDF v5.1 | +-------- |------------- |------------- | +ESP32 | x | | +ESP32-S2 | | | +ESP32-S3 | x | x | +ESP32-C3 | x | x | +ESP32-C6 | | | + + +The default directories are: + +- `C:\SysGCC` - The root directory install of VisualGDB +- `C:\SysGCC\esp32` - The default for ESP-IDF v5.x +- `C:\SysGCC\esp32-8.4` - Many need to manually select this name for ESP-IDF v4.x install +- `C:\SysGCC\esp8266`- The default for ESP8266 + +Windows ports assigned with the `change port` command may not appear in the VisualGDB dropdowns but can still +be used when manually typed. +See the [feature request](https://sysprogs.com/w/forums/topic/feature-request-show-windows-change-port-results-in-com-port-dropdown-lists/). + +## ESP-IDF Commandline + +1. `idf.py menuconfig` to configure the program. + 1-1. Example Configuration -> + + BENCH_ARG : argument that you want to use. Default is "-lng 0" + The list of argument can be find in help. + +When you want to run the benchmark program + +1. `idf.py -p flash` to compile and load the firmware +2. `idf.py monitor` to see the message + +See the README.md file in the upper level 'examples' directory for more information about examples. + +## Performance + +Reminder than when building on WSL in `/mnt/c` there will be a noticeable performance degradation at compile time. Using `~/` will be faster at the cost of shared filesystems. + +Example build on WSL: + +``` +Optionally update toolchain + +cd /mnt/c/SysGCC/esp32/esp-idf/master +git fetch +git pull +git submodule update --init --recursive + +cd /mnt/c/workspace/wolfssl/IDE/Espressif/ESP-IDF/examples/wolfssl_benchmark + +# Pick ESP-IDF install directory, this one for v5.1 in VisualGDB + +WRK_IDF_PATH=/mnt/c/SysGCC/esp32/esp-idf/v5.1 +WRK_IDF_PATH=/mnt/c/SysGCC/esp32-8.4/esp-idf/v4.4.1 +WRK_IDF_PATH=~/esp/esp-idf + +. $WRK_IDF_PATH/export.sh + +# Set target SoC +idf.py set-target esp32c3 + +# Optionally erase + +# Build and flash +idf.py build flash -p /dev/ttyS20 -b 115200 monitor +``` + +## Example Output + +Note the default wolfSSL `user_settings.h` is configured by default to be the most +compatible across the widest ranges of targets. Contact wolfSSL at support@wolfssl.com +for help in optimizing for your particular application, or see the +[docs](https://www.wolfssl.com/documentation/manuals/wolfssl/index.html). + +Compiled and flashed with `idf.py build flash -p /dev/ttyS7 -b 115200 monitor`: + +``` +--- idf_monitor on /dev/ttyS7 115200 --- +--- Quit: Ctrl+] | Menu: Ctrl+T | Help: Ctrl+T followed by Ctrl+H --- + (377) cpu_start: Starting scheduler ets Jun 8 2016 00:22:57 + +rst:0x1 (POWERON_RESET),boot:0x13 (SPI_FAST_FLASH_BOOT) +configsip: 0, SPIWP:0xee +clk_drv:0x00,q_drv:0x00,d_drv:0x00,cs0_drv:0x00,hd_drv:0x00,wp_drv:0x00 +mode:DIO, clock div:2 +load:0x3fff0030,len:6664 +load:0x40078000,len:14848 +load:0x40080400,len:3792 +0x40080400: _init at ??:? + +entry 0x40080694 +I (27) boot: ESP-IDF v4.4.2-dirty 2nd stage bootloader +I (27) boot: compile time 13:41:41 +I (27) boot: chip revision: 1 +I (30) boot_comm: chip revision: 1, min. bootloader chip revision: 0 +I (37) boot.esp32: SPI Speed : 40MHz +I (42) boot.esp32: SPI Mode : DIO +I (46) boot.esp32: SPI Flash Size : 2MB +I (51) boot: Enabling RNG early entropy source... +I (56) boot: Partition Table: +I (60) boot: ## Label Usage Type ST Offset Length +I (67) boot: 0 nvs WiFi data 01 02 00009000 00006000 +I (75) boot: 1 phy_init RF data 01 01 0000f000 00001000 +I (82) boot: 2 factory factory app 00 00 00010000 00100000 +I (90) boot: End of partition table +I (94) boot_comm: chip revision: 1, min. application chip revision: 0 +I (101) esp_image: segment 0: paddr=00010020 vaddr=3f400020 size=12bf4h ( 76788) map +I (137) esp_image: segment 1: paddr=00022c1c vaddr=3ffb0000 size=02420h ( 9248) load +I (141) esp_image: segment 2: paddr=00025044 vaddr=40080000 size=0afd4h ( 45012) load +I (161) esp_image: segment 3: paddr=00030020 vaddr=400d0020 size=33148h (209224) map +I (237) esp_image: segment 4: paddr=00063170 vaddr=4008afd4 size=00550h ( 1360) load +I (238) esp_image: segment 5: paddr=000636c8 vaddr=50000000 size=00010h ( 16) load +I (249) boot: Loaded app from partition at offset 0x10000 +I (249) boot: Disabling RNG early entropy source... +I (266) cpu_start: Pro cpu up. +I (266) cpu_start: Starting app cpu, entry point is 0x40081098 +0x40081098: call_start_cpu1 at /mnt/c/SysGCC/esp32/esp-idf/v4.4.2/components/esp_system/port/cpu_start.c:160 + +I (0) cpu_start: App cpu up. +I (280) cpu_start: Pro cpu start user code +I (280) cpu_start: cpu freq: 240000000 +I (280) cpu_start: Application information: +I (285) cpu_start: Project name: wolfssl_benchmark +I (291) cpu_start: App version: v5.5.3-stable-108-gbd7b442df-di +I (298) cpu_start: Compile time: Nov 17 2022 14:10:03 +I (304) cpu_start: ELF file SHA256: fbb520f5bbf963a0... +I (310) cpu_start: ESP-IDF: v4.4.2-dirty +I (316) heap_init: Initializing. RAM available for dynamic allocation: +I (323) heap_init: At 3FFAE6E0 len 00001920 (6 KiB): DRAM +I (329) heap_init: At 3FFB3DE8 len 0002C218 (176 KiB): DRAM +I (335) heap_init: At 3FFE0440 len 00003AE0 (14 KiB): D/IRAM +I (341) heap_init: At 3FFE4350 len 0001BCB0 (111 KiB): D/IRAM +I (348) heap_init: At 4008B524 len 00014ADC (82 KiB): IRAM +I (355) spi_flash: detected chip: generic +I (359) spi_flash: flash io: dio +W (362) spi_flash: Detected size(4096k) larger than the size in the binary image header(2048k). Using the size in the binary image header. +I (377) cpu_start: Starting scheduler on PRO CPU. +I (0) cpu_start: Starting scheduler on APP CPU. +I (391) wolfssl_benchmark: app_main CONFIG_BENCH_ARGV = -lng 0 +I (397) wolfssl_benchmark: construct_argv arg:-lng 0 + +------------------------------------------------------------------------------ + wolfSSL version 5.5.3 +------------------------------------------------------------------------------ +wolfCrypt Benchmark (block bytes 1024, min 1.0 sec each) +RNG 1 MiB took 1.017 seconds, 1.320 MiB/s +AES-128-CBC-enc 6 MiB took 1.002 seconds, 5.726 MiB/s +AES-128-CBC-dec 5 MiB took 1.000 seconds, 5.347 MiB/s +AES-192-CBC-enc 6 MiB took 1.004 seconds, 5.714 MiB/s +AES-192-CBC-dec 5 MiB took 1.001 seconds, 5.341 MiB/s +AES-256-CBC-enc 6 MiB took 1.000 seconds, 5.713 MiB/s +AES-256-CBC-dec 5 MiB took 1.002 seconds, 5.336 MiB/s +AES-128-GCM-enc 300 KiB took 1.004 seconds, 298.805 KiB/s +AES-128-GCM-dec 300 KiB took 1.004 seconds, 298.805 KiB/s +AES-192-GCM-enc 300 KiB took 1.007 seconds, 297.915 KiB/s +AES-192-GCM-dec 300 KiB took 1.008 seconds, 297.619 KiB/s +AES-256-GCM-enc 300 KiB took 1.011 seconds, 296.736 KiB/s +AES-256-GCM-dec 300 KiB took 1.011 seconds, 296.736 KiB/s +GMAC Default 403 KiB took 1.002 seconds, 402.196 KiB/s +3DES 450 KiB took 1.028 seconds, 437.743 KiB/s +MD5 14 MiB took 1.001 seconds, 13.756 MiB/s +SHA 14 MiB took 1.001 seconds, 14.463 MiB/s +SHA-256 14 MiB took 1.000 seconds, 14.233 MiB/s +SHA-512 17 MiB took 1.000 seconds, 16.626 MiB/s +HMAC-MD5 14 MiB took 1.000 seconds, 13.599 MiB/s +HMAC-SHA 14 MiB took 1.000 seconds, 13.989 MiB/s +HMAC-SHA256 14 MiB took 1.000 seconds, 13.940 MiB/s +HMAC-SHA512 16 MiB took 1.000 seconds, 16.064 MiB/s +PBKDF2 640 bytes took 1.009 seconds, 634.291 bytes/s +RSA 2048 public 52 ops took 1.022 sec, avg 19.654 ms, 50.881 ops/sec +RSA 2048 private 4 ops took 1.056 sec, avg 264.000 ms, 3.788 ops/sec +ECC [ SECP256R1] 256 key gen 4 ops took 1.216 sec, avg 304.000 ms, 3.289 ops/sec +ECDHE [ SECP256R1] 256 agree 4 ops took 1.215 sec, avg 303.750 ms, 3.292 ops/sec +ECDSA [ SECP256R1] 256 sign 4 ops took 1.226 sec, avg 306.500 ms, 3.263 ops/sec +ECDSA [ SECP256R1] 256 verify 2 ops took 1.172 sec, avg 586.000 ms, 1.706 ops/sec +CURVE 25519 key gen 3 ops took 1.279 sec, avg 426.333 ms, 2.346 ops/sec +CURVE 25519 agree 4 ops took 1.701 sec, avg 425.250 ms, 2.352 ops/sec +ED 25519 key gen 46 ops took 1.008 sec, avg 21.913 ms, 45.635 ops/sec +ED 25519 sign 42 ops took 1.038 sec, avg 24.714 ms, 40.462 ops/sec +ED 25519 verify 26 ops took 1.009 sec, avg 38.808 ms, 25.768 ops/sec +Benchmark complete +``` + +## Known Issues and Common Issues + +### Permission denied + +Delete project directory `build`, `.visualgdb` and `.vs` directories. Ensure no other build +process is using the same files in Windows, WSL, Visual Studio, VSCode, etc. + +Example message: + +``` +-- Building ESP-IDF components for target esp32 +CMake Error at /mnt/c/SysGCC/esp32/esp-idf/v4.4.2/tools/cmake/component.cmake:131 (file): + file failed to open for writing (Permission denied): + + /mnt/c/workspace-pr/wolfssl/IDE/Espressif/ESP-IDF/examples/wolfssl_test/build/bootloader/component_properties.temp.cmake +``` + + +### user_settings.h: No such file or directory + +Ensure wolfSSL is installed in the ESP-IDF or local project `components` directory. + +Example message: + +``` + esp-idf/main/CMakeFiles/__idf_main.dir/main.c.obj -c ../main/main.c +../main/main.c:27:10: fatal error: user_settings.h: No such file or directory + #include + ^~~~~~~~~~~~~~~~~ +compilation terminated. +``` + +A 'clean` may be needed after freshly installing a new component: + +``` +idf.py clean build flash -p /dev/ttyS7 -b 115200 monitor +``` + +See the README.md file in the upper level 'examples' directory for [more information about examples](../README.md). diff --git a/examples/wolfssl_benchmark/main/CMakeLists.txt b/examples/wolfssl_benchmark/main/CMakeLists.txt new file mode 100644 index 0000000..e37c4d5 --- /dev/null +++ b/examples/wolfssl_benchmark/main/CMakeLists.txt @@ -0,0 +1,76 @@ +# +# wolfssl benchmark test +# +set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DWOLFSSL_USER_SETTINGS") + +set(COMPONENT_SRCS "main.c") +set(COMPONENT_ADD_INCLUDEDIRS ".") + +set (git_cmd "git") + +if( EXISTS "${CMAKE_HOME_DIRECTORY}/components/wolfssl/" AND EXISTS "$ENV{IDF_PATH}/components/wolfssl/" ) + # + # wolfSSL found in both ESP-IDF and local project - needs to be resolved by user + # + message(STATUS "") + message(STATUS "WARNING: Found components/wolfssl in both local project and IDF_PATH") + message(STATUS "") + set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DWOLFSSL_MULTI_INSTALL_WARNING") +endif() + +idf_component_register(SRCS main.c + INCLUDE_DIRS "." + "./include") + +# +# LIBWOLFSSL_SAVE_INFO(VAR_OUPUT THIS_VAR VAR_RESULT) +# +# Save the THIS_VAR as a string in a macro called VAR_OUPUT +# +# VAR_OUPUT: the name of the macro to define +# THIS_VAR: the OUTPUT_VARIABLE result from a execute_process() +# VAR_RESULT: the RESULT_VARIABLE from a execute_process(); "0" if successful. +# +function ( LIBWOLFSSL_SAVE_INFO VAR_OUPUT THIS_VAR VAR_RESULT ) + # is the RESULT_VARIABLE output value 0? If so, IS_VALID_VALUE is true. + string(COMPARE EQUAL "${VAR_RESULT}" "0" IS_VALID_VALUE) + + # if we had a successful operation, save the THIS_VAR in VAR_OUPUT + if(${IS_VALID_VALUE}) + # strip newline chars in THIS_VAR parameter and save in VAR_VALUE + string(REPLACE "\n" "" VAR_VALUE ${THIS_VAR}) + + # we'll could percolate the value to the parent for possible later use + # set(${VAR_OUPUT} ${VAR_VALUE} PARENT_SCOPE) + + # but we're only using it here in this function + set(${VAR_OUPUT} ${VAR_VALUE}) + + # we'll print what we found to the console + message(STATUS "Found ${VAR_OUPUT}=${VAR_VALUE}") + + # the interesting part is defining the VAR_OUPUT name a value to use in the app + add_definitions(-D${VAR_OUPUT}=\"${VAR_VALUE}\") + else() + # if we get here, check the execute_process command and parameters. + message(STATUS "LIBWOLFSSL_SAVE_INFO encountered a non-zero VAR_RESULT") + set(${VAR_OUPUT} "Unknown") + endif() +endfunction() # LIBWOLFSSL_SAVE_INFO + +if(NOT CMAKE_BUILD_EARLY_EXPANSION) + # LIBWOLFSSL_VERSION_GIT_HASH + execute_process(COMMAND ${git_cmd} "rev-parse" "HEAD" OUTPUT_VARIABLE TMP_OUT RESULT_VARIABLE TMP_RES ERROR_QUIET ) + LIBWOLFSSL_SAVE_INFO(LIBWOLFSSL_VERSION_GIT_HASH "${TMP_OUT}" "${TMP_RES}") + + # LIBWOLFSSL_VERSION_GIT_SHORT_HASH + execute_process(COMMAND ${git_cmd} "rev-parse" "--short" "HEAD" OUTPUT_VARIABLE TMP_OUT RESULT_VARIABLE TMP_RES ERROR_QUIET ) + LIBWOLFSSL_SAVE_INFO(LIBWOLFSSL_VERSION_GIT_SHORT_HASH "${TMP_OUT}" "${TMP_RES}") + + # LIBWOLFSSL_VERSION_GIT_HASH_DATE + execute_process(COMMAND ${git_cmd} "show" "--no-patch" "--no-notes" "--pretty=\'\%cd\'" OUTPUT_VARIABLE TMP_OUT RESULT_VARIABLE TMP_RES ) + LIBWOLFSSL_SAVE_INFO(LIBWOLFSSL_VERSION_GIT_HASH_DATE "${TMP_OUT}" "${TMP_RES}") +endif() + +message(STATUS "") + diff --git a/examples/wolfssl_benchmark/main/Kconfig.projbuild b/examples/wolfssl_benchmark/main/Kconfig.projbuild new file mode 100644 index 0000000..8fd12d3 --- /dev/null +++ b/examples/wolfssl_benchmark/main/Kconfig.projbuild @@ -0,0 +1,29 @@ +menu "Example Configuration" + +config BENCH_ARGV + string "Arguments for benchmark test" + default "-lng 0" + help + -? Help, print this usage + 0: English, 1: Japanese + -csv Print terminal output in csv format + -base10 Display bytes as power of 10 (eg 1 kB = 1000 Bytes) + -no_aad No additional authentication data passed. + -dgst_full Full digest operation performed. + -rsa_sign Measure RSA sign/verify instead of encrypt/decrypt. + - Algorithm to benchmark. Available algorithms include: + cipher aes-cbc aes-gcm chacha20 chacha20-poly1305 + digest md5 poly1305 sha sha2 sha224 sha256 sha384 sha512 sha3 + sha3-224 sha3-256 sha3-384 sha3-512 + mac hmac hmac-md5 hmac-sha hmac-sha224 hmac-sha256 hmac-sha384 + hmac-sha512 + asym rsa rsa-sz dh ecc-kg ecc + other rng + -lng Display benchmark result by specified language. + 0: English, 1: Japanese + Size of block in bytes + + e.g -lng 1 + e.g sha + +endmenu diff --git a/examples/wolfssl_benchmark/main/idf_component.yml b/examples/wolfssl_benchmark/main/idf_component.yml new file mode 100644 index 0000000..b64adee --- /dev/null +++ b/examples/wolfssl_benchmark/main/idf_component.yml @@ -0,0 +1,5 @@ +dependencies: + esp-wolfssl: + override_path: '../../../' + idf: + version: ">=5.3.0" diff --git a/examples/wolfssl_benchmark/main/include/main.h b/examples/wolfssl_benchmark/main/include/main.h new file mode 100644 index 0000000..cae03b4 --- /dev/null +++ b/examples/wolfssl_benchmark/main/include/main.h @@ -0,0 +1,30 @@ +/* benchmark main.h + * + * Copyright (C) 2006-2024 wolfSSL Inc. + * + * This file is part of wolfSSL. + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA + */ + +#ifndef _MAIN_ +#define _MAIN_ + +void app_main(void); + +/* see wolfssl/wolfcrypt/benchmark/benchmark.h */ +extern void wolf_benchmark_task(); + +#endif diff --git a/examples/wolfssl_benchmark/main/main.c b/examples/wolfssl_benchmark/main/main.c new file mode 100644 index 0000000..3381f25 --- /dev/null +++ b/examples/wolfssl_benchmark/main/main.c @@ -0,0 +1,336 @@ +/* benchmark main.c + * + * Copyright (C) 2006-2024 wolfSSL Inc. + * + * This file is part of wolfSSL. + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA + */ + +/* ESP-IDF */ +#include "sdkconfig.h" +#include + +/* wolfSSL */ +/* The wolfSSL user_settings.h file is automatically included by the settings.h + * file and should never be explicitly included in any other source files. + * The settings.h should also be listed above wolfssl library include files. */ +#include +#include +#include +#include +#ifndef WOLFSSL_ESPIDF + #error "Problem with wolfSSL user_settings. " \ + "Check components/wolfssl/include " \ + "and confirm WOLFSSL_USER_SETTINGS is defined, " \ + "typically in the component CMakeLists.txt" +#endif + +#include +#include + +/* Hardware; include after other libraries, + * particularly after freeRTOS from settings.h */ +#include + +/* set to 0 for one benchmark, +** set to 1 for continuous benchmark loop */ +#define BENCHMARK_LOOP 0 + +#define THIS_MONITOR_UART_RX_BUFFER_SIZE 200 + +#ifdef CONFIG_ESP8266_XTAL_FREQ_26 + /* 26MHz crystal: 74880 bps */ + #define THIS_MONITOR_UART_BAUD_DATE 74880 +#else + /* 40MHz crystal: 115200 bps */ + #define THIS_MONITOR_UART_BAUD_DATE 115200 +#endif + +/* check BENCH_ARGV in sdkconfig to determine need to set WOLFSSL_BENCH_ARGV */ +#ifdef CONFIG_BENCH_ARGV + #define WOLFSSL_BENCH_ARGV CONFIG_BENCH_ARGV + #define WOLFSSL_BENCH_ARGV_MAX_ARGUMENTS 22 /* arbitrary number of max args */ +#endif + +/* +** the wolfssl component can be installed in either: +** +** - the ESP-IDF component directory +** +** ** OR ** +** +** - the local project component directory +** +** it is not recommended to install in both. +** +*/ + +#include "main.h" + +static const char* const TAG = "wolfssl_benchmark"; + +#if defined(WOLFSSL_ESPWROOM32SE) && defined(HAVE_PK_CALLBACKS) \ + && defined(WOLFSSL_ATECC508A) + +#include "wolfssl/wolfcrypt/port/atmel/atmel.h" + +/* when you need to use a custom slot allocation, */ +/* enable the definition CUSTOM_SLOT_ALLOCAION. */ +#if defined(CUSTOM_SLOT_ALLOCATION) + +static byte mSlotList[ATECC_MAX_SLOT]; + +int atmel_set_slot_allocator(atmel_slot_alloc_cb alloc, atmel_slot_dealloc_cb dealloc); + +/* initialize slot array */ +void my_atmel_slotInit() +{ + int i; + for(i = 0;i < ATECC_MAX_SLOT;i++) { + mSlotList[i] = ATECC_INVALID_SLOT; + } +} + +/* allocate slot depending on slotType */ +int my_atmel_alloc(int slotType) +{ + int i, slot = -1; + + switch(slotType){ + case ATMEL_SLOT_ENCKEY: + slot = 4; + break; + case ATMEL_SLOT_DEVICE: + slot = 0; + break; + case ATMEL_SLOT_ECDHE: + slot = 0; + break; + case ATMEL_SLOT_ECDHE_ENC: + slot = 4; + break; + case ATMEL_SLOT_ANY: + for(i = 0;i < ATECC_MAX_SLOT;i++){ + if(mSlotList[i] == ATECC_INVALID_SLOT){ + slot = i; + break; + } + } + } + + return slot; +} + +/* free slot array */ +void my_atmel_free(int slotId) +{ + if(slotId >= 0 && slotId < ATECC_MAX_SLOT){ + mSlotList[slotId] = ATECC_INVALID_SLOT; + } +} + +#endif /* CUSTOM_SLOT_ALLOCATION */ +#endif /* WOLFSSL_ESPWROOM32SE && HAVE_PK_CALLBACK && WOLFSSL_ATECC508A */ + +/* the following are needed by benchmark.c with args */ +#ifdef WOLFSSL_BENCH_ARGV +char* __argv[WOLFSSL_BENCH_ARGV_MAX_ARGUMENTS]; +#define ARG_BUFF_SIZE 16 + +int construct_argv() +{ + int cnt = 0; + int i = 0; + int len = 0; + char *_argv; /* buffer for copying the string */ + char *ch; /* char pointer to trace the string */ + char buff[ARG_BUFF_SIZE] = { 0 }; /* buffer for a argument copy */ + + ESP_LOGI(TAG, "construct_argv arg:%s\n", CONFIG_BENCH_ARGV); + len = strlen(CONFIG_BENCH_ARGV); + _argv = (char*)malloc(len + 1); + if (!_argv) { + return -1; + } + memset(_argv, 0, len + 1); + memcpy(_argv, CONFIG_BENCH_ARGV, len); + _argv[len] = '\0'; + ch = _argv; + + __argv[cnt] = malloc(10); + sprintf(__argv[cnt], "benchmark"); + __argv[cnt][9] = '\0'; + cnt = 1; + + while (*ch != '\0') { + /* check that we don't overflow manual arg assembly */ + if (cnt >= (WOLFSSL_BENCH_ARGV_MAX_ARGUMENTS)) { + ESP_LOGE(TAG, "Abort construct_argv;" + "Reached maximum defined arguments = %d", + WOLFSSL_BENCH_ARGV_MAX_ARGUMENTS); + break; + } + + /* skip white-space */ + while (*ch == ' ') { ++ch; } + + memset(buff, 0, sizeof(buff)); + /* copy each args into buffer */ + i = 0; + while ((*ch != ' ') && (*ch != '\0') && (i <= ARG_BUFF_SIZE)) { + buff[i] = *ch; + ++i; + ++ch; + } + /* copy the string into argv */ + __argv[cnt] = (char*)malloc(i + 1); + memset(__argv[cnt], 0, i + 1); + memcpy(__argv[cnt], buff, i + 1); + /* next args */ + ++cnt; + } + + free(_argv); + + return (cnt); +} +#endif + +/* entry point */ +void app_main(void) +{ + int stack_start = 0; + + uart_config_t uart_config = { + .baud_rate = THIS_MONITOR_UART_BAUD_DATE, + .data_bits = UART_DATA_8_BITS, + .parity = UART_PARITY_DISABLE, + .stop_bits = UART_STOP_BITS_1, + }; + esp_err_t ret = 0; + stack_start = esp_sdk_stack_pointer(); + + /* uart_set_pin(UART_NUM_0, TX_PIN, RX_PIN, + * UART_PIN_NO_CHANGE, UART_PIN_NO_CHANGE); */ + + /* Some targets may need to have UART speed set, such as ESP8266 */ + ESP_LOGI(TAG, "UART init"); + uart_param_config(UART_NUM_0, &uart_config); + uart_driver_install(UART_NUM_0, + THIS_MONITOR_UART_RX_BUFFER_SIZE, 0, 0, NULL, 0); + + ESP_LOGI(TAG, "---------------- wolfSSL Benchmark Example -------------"); + ESP_LOGI(TAG, "--------------------------------------------------------"); + ESP_LOGI(TAG, "--------------------------------------------------------"); + ESP_LOGI(TAG, "---------------------- BEGIN MAIN ----------------------"); + ESP_LOGI(TAG, "--------------------------------------------------------"); + ESP_LOGI(TAG, "--------------------------------------------------------"); + ESP_LOGI(TAG, "Stack Start: 0x%x", stack_start); + +#ifdef WOLFSSL_ESP_NO_WATCHDOG + ESP_LOGW(TAG, "Found WOLFSSL_ESP_NO_WATCHDOG, disabling..."); + esp_DisableWatchdog(); +#endif + +#if defined(HAVE_VERSION_EXTENDED_INFO) && defined(WOLFSSL_HAS_METRICS) + esp_ShowExtendedSystemInfo(); +#endif + + /* all platforms: stack high water mark check */ + ESP_LOGI(TAG, "app_main CONFIG_BENCH_ARGV = %s", WOLFSSL_BENCH_ARGV); + +/* when using atecc608a on esp32-wroom-32se */ +#if defined(WOLFSSL_ESPWROOM32SE) && defined(HAVE_PK_CALLBACKS) \ + && defined(WOLFSSL_ATECC508A) + #if defined(CUSTOM_SLOT_ALLOCATION) + my_atmel_slotInit(); + /* to register the callback, it needs to be initialized. */ + if ((wolfCrypt_Init()) != 0) { + ESP_LOGE(TAG, "wolfCrypt_Init failed"); + return; + } + atmel_set_slot_allocator(my_atmel_alloc, my_atmel_free); + #endif +#endif + +#ifdef NO_CRYPT_BENCHMARK + ESP_LOGI(TAG, "NO_CRYPT_BENCHMARK defined, skipping wolf_benchmark_task") +#else + + /* although wolfCrypt_Init() may be explicitly called above, + ** note it is still always called in wolf_benchmark_task. + */ + stack_start = uxTaskGetStackHighWaterMark(NULL); + + do { + ESP_LOGI(TAG, "Stack HWM: %d\n", uxTaskGetStackHighWaterMark(NULL)); + + wolf_benchmark_task(); /* TODO capture return value! */ + ESP_LOGI(TAG, "Stack used: %d\n", + stack_start - uxTaskGetStackHighWaterMark(NULL)); + + #if defined(WOLFSSL_HW_METRICS) && defined(WOLFSSL_HAS_METRICS) + esp_hw_show_metrics(); + #endif + } while (BENCHMARK_LOOP); + /* Reminder: wolfCrypt_Cleanup should always be called at completion, + ** and is called in wolf_benchmark_task(). */ + +#if defined(SINGLE_THREADED) + /* need stack monitor for single thread */ +#else + ESP_LOGI(TAG, "Stack HWM: %d\n", uxTaskGetStackHighWaterMark(NULL)); +#endif + + /* note wolfCrypt_Cleanup() should always be called when finished. + ** This is called at the end of wolf_test_task(); + */ + +#if defined(DEBUG_WOLFSSL) && defined(WOLFSSL_ESP32_CRYPT_RSA_PRI) + esp_hw_show_mp_metrics(); +#endif + +#ifdef INCLUDE_uxTaskGetStackHighWaterMark + ESP_LOGI(TAG, "Stack HWM: %d", uxTaskGetStackHighWaterMark(NULL)); + + ESP_LOGI(TAG, "Stack used: %d", CONFIG_ESP_MAIN_TASK_STACK_SIZE + - (uxTaskGetStackHighWaterMark(NULL))); +#endif + +#ifdef WOLFSSL_ESPIDF_VERBOSE_EXIT_MESSAGE + if (ret == 0) { + ESP_LOGI(TAG, WOLFSSL_ESPIDF_VERBOSE_EXIT_MESSAGE("Success!", ret)); + } + else { + ESP_LOGE(TAG, WOLFSSL_ESPIDF_VERBOSE_EXIT_MESSAGE("Failed!", ret)); + } +#elif defined(WOLFSSL_ESPIDF_EXIT_MESSAGE) + ESP_LOGI(TAG, WOLFSSL_ESPIDF_EXIT_MESSAGE); +#else + ESP_LOGI(TAG, "\n\nDone!\n\n" + "If running from idf.py monitor, press twice: Ctrl+]"); +#endif + + /* after the test, we'll just wait */ + while (1) { + /* do something other than nothing to help next program/debug session*/ +#ifndef SINGLE_THREADED + vTaskDelay(1000); +#endif + } + +#endif /* NO_CRYPT_BENCHMARK */ +} /* main */ diff --git a/examples/wolfssl_benchmark/sdkconfig.defaults b/examples/wolfssl_benchmark/sdkconfig.defaults new file mode 100644 index 0000000..e7f3037 --- /dev/null +++ b/examples/wolfssl_benchmark/sdkconfig.defaults @@ -0,0 +1,97 @@ +# Note that during the build process, settings from sdkconfig.defaults will not override those already in sdkconfig. +# See https://docs.espressif.com/projects/esp-idf/en/latest/esp32/api-guides/build-system.html#custom-sdkconfig-defaults +CONFIG_BENCH_ARGV="-lng 0" +CONFIG_FREERTOS_HZ=1000 +CONFIG_ESP32_DEFAULT_CPU_FREQ_240=y + +# +# Default main stack size. See user_settings.h +# +# For wolfSSL SMALL_STACK, 3072 bytes should be sufficient for benchmark app. +# When using RSA, assign at least 10500 bytes, otherwise 5500 usually works for others +CONFIG_ESP_MAIN_TASK_STACK_SIZE=10500 + +# Legacy stack size for older ESP-IDF versions +CONFIG_MAIN_TASK_STACK_SIZE=10500 + +# +# Benchmark must not have CONFIG_NEWLIB_NANO_FORMAT enabled +CONFIG_NEWLIB_NANO_FORMAT=n +# +# Watchdog Timers +# +# We don't want to have the watchdog timeout during tests & benchmarks +# +CONFIG_ESP_TASK_WDT_CHECK_IDLE_TASK_CPU0=n +CONFIG_ESP_TASK_WDT_CHECK_IDLE_TASK_CPU1=n +# Panic & Watchdog +CONFIG_ESP_INT_WDT_TIMEOUT_MS=10000 +CONFIG_ESP_TASK_WDT_EN=n +CONFIG_ESP_SYSTEM_PANIC_PRINT_HALT=y +CONFIG_ESP_INT_WDT=n + +# ESP8266 WDT +# CONFIG_ESP_PANIC_PRINT_REBOOT is not set +CONFIG_ESP_PANIC_PRINT_REBOOT=n +CONFIG_ESP_PANIC_PRINT_HALT=y + +# CONFIG_ESP_HTTP_CLIENT_ENABLE_HTTPS is not set +CONFIG_ESP_HTTP_CLIENT_ENABLE_HTTPS=n + +# ESP8266 Memory +CONFIG_FREERTOS_GLOBAL_DATA_LINK_IRAM=y +CONFIG_HEAP_DISABLE_IRAM=y + +# Performance +# CONFIG_COMPILER_OPTIMIZATION_PERF=y + +# Set max COU frequency (falls back as needed for lower maximum) +CONFIG_ESP_DEFAULT_CPU_FREQ_MHZ_240=y + +# FreeRTOS ticks at 1ms interval +CONFIG_FREERTOS_UNICORE=y +CONFIG_FREERTOS_HZ=1000 + +# +# Compiler options +# +CONFIG_COMPILER_OPTIMIZATION_DEFAULT=y +# CONFIG_COMPILER_OPTIMIZATION_SIZE is not set +# CONFIG_COMPILER_OPTIMIZATION_PERF is not set +# CONFIG_COMPILER_OPTIMIZATION_NONE is not set +CONFIG_COMPILER_OPTIMIZATION_ASSERTIONS_ENABLE=y +# CONFIG_COMPILER_OPTIMIZATION_ASSERTIONS_SILENT is not set +# CONFIG_COMPILER_OPTIMIZATION_ASSERTIONS_DISABLE is not set +CONFIG_COMPILER_FLOAT_LIB_FROM_GCCLIB=y +CONFIG_COMPILER_OPTIMIZATION_ASSERTION_LEVEL=2 +# CONFIG_COMPILER_OPTIMIZATION_CHECKS_SILENT is not set +CONFIG_COMPILER_HIDE_PATHS_MACROS=y +# CONFIG_COMPILER_CXX_EXCEPTIONS is not set +# CONFIG_COMPILER_CXX_RTTI is not set +# CONFIG_COMPILER_STACK_CHECK_MODE_NONE is not set +CONFIG_COMPILER_STACK_CHECK_MODE_NORM=y +# CONFIG_COMPILER_STACK_CHECK_MODE_STRONG is not set +# CONFIG_COMPILER_STACK_CHECK_MODE_ALL is not set +CONFIG_COMPILER_STACK_CHECK=y +# CONFIG_COMPILER_WARN_WRITE_STRINGS is not set +# CONFIG_COMPILER_SAVE_RESTORE_LIBCALLS is not set +# CONFIG_COMPILER_DISABLE_GCC12_WARNINGS is not set +# CONFIG_COMPILER_DUMP_RTL_FILES is not set +# end of Compiler options + +# We don't know that the min is actually v2, +# but this is the earliest tested. +CONFIG_ESP32C3_REV_MIN_2=y + +# +# Partition Table +# +# CONFIG_PARTITION_TABLE_SINGLE_APP is not set +CONFIG_PARTITION_TABLE_SINGLE_APP_LARGE=y +# CONFIG_PARTITION_TABLE_TWO_OTA is not set +# CONFIG_PARTITION_TABLE_CUSTOM is not set +CONFIG_PARTITION_TABLE_CUSTOM_FILENAME="partitions.csv" +CONFIG_PARTITION_TABLE_FILENAME="partitions_singleapp_large.csv" +CONFIG_PARTITION_TABLE_OFFSET=0x8000 +CONFIG_PARTITION_TABLE_MD5=y +# end of Partition Table diff --git a/examples/wolfssl_client/CMakeLists.txt b/examples/wolfssl_client/CMakeLists.txt deleted file mode 100644 index a61aea9..0000000 --- a/examples/wolfssl_client/CMakeLists.txt +++ /dev/null @@ -1,6 +0,0 @@ -# The following lines of boilerplate have to be in your project's -# CMakeLists in this exact order for cmake to work correctly -cmake_minimum_required(VERSION 3.5) -set(EXTRA_COMPONENT_DIRS $ENV{IDF_PATH}/examples/common_components/protocol_examples_common "../../") -include($ENV{IDF_PATH}/tools/cmake/project.cmake) -project(wolfssl) diff --git a/examples/wolfssl_client/Makefile b/examples/wolfssl_client/Makefile deleted file mode 100755 index 8983fc0..0000000 --- a/examples/wolfssl_client/Makefile +++ /dev/null @@ -1,12 +0,0 @@ -# -# This is a project Makefile. It is assumed the directory this Makefile resides in is a -# project subdirectory. -# - -PROJECT_NAME := wolfssl - -CFLAGS += -DWOLFSSL_USER_SETTINGS - -EXTRA_COMPONENT_DIRS := $(realpath ../..) -EXTRA_COMPONENT_DIRS += $(IDF_PATH)/examples/common_components/protocol_examples_common -include $(IDF_PATH)/make/project.mk diff --git a/examples/wolfssl_client/README.md b/examples/wolfssl_client/README.md deleted file mode 100644 index 64dccf0..0000000 --- a/examples/wolfssl_client/README.md +++ /dev/null @@ -1,6 +0,0 @@ -# WolfSSL_client example - -The examples makes a very simple HTTPS request over a secure connection, including verifying the server TLS certificate. - This example is similar in working with the https_request example , only the API used in this example are wolfSSL specific. - -See the README.md file in the upper level 'examples' directory for more information about examples. diff --git a/examples/wolfssl_client/main/CMakeLists.txt b/examples/wolfssl_client/main/CMakeLists.txt deleted file mode 100644 index 85b7578..0000000 --- a/examples/wolfssl_client/main/CMakeLists.txt +++ /dev/null @@ -1,5 +0,0 @@ -idf_component_register(SRCS "wolfssl_client_demo.c" - INCLUDE_DIRS "." - EMBED_TXTFILES "server_root_cert.pem") - -target_compile_definitions(${COMPONENT_LIB} PRIVATE WOLFSSL_USER_SETTINGS) diff --git a/examples/wolfssl_client/main/Kconfig.projbuild b/examples/wolfssl_client/main/Kconfig.projbuild deleted file mode 100644 index 99dbcc3..0000000 --- a/examples/wolfssl_client/main/Kconfig.projbuild +++ /dev/null @@ -1,9 +0,0 @@ -menu "Example Configuration" - - config EXAMPLE_SERVER_CERT_VERIFY - bool "Enable Server Certificate Verification" - default y - help - Enabling this option validates the server certificate while establishing a TLS connection. - -endmenu # Example Configuration diff --git a/examples/wolfssl_client/main/component.mk b/examples/wolfssl_client/main/component.mk deleted file mode 100644 index 12acf9f..0000000 --- a/examples/wolfssl_client/main/component.mk +++ /dev/null @@ -1,5 +0,0 @@ -# -# "main" pseudo-component makefile. -# -# (Uses default behaviour of compiling all source files in directory, adding 'include' to include path.) -COMPONENT_EMBED_TXTFILES := server_root_cert.pem diff --git a/examples/wolfssl_client/main/server_root_cert.pem b/examples/wolfssl_client/main/server_root_cert.pem deleted file mode 100644 index e3cbad9..0000000 --- a/examples/wolfssl_client/main/server_root_cert.pem +++ /dev/null @@ -1,24 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIEFzCCAv+gAwIBAgIQB/LzXIeod6967+lHmTUlvTANBgkqhkiG9w0BAQwFADBh -MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3 -d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD -QTAeFw0yMTA0MTQwMDAwMDBaFw0zMTA0MTMyMzU5NTlaMFYxCzAJBgNVBAYTAlVT -MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxMDAuBgNVBAMTJ0RpZ2lDZXJ0IFRMUyBI -eWJyaWQgRUNDIFNIQTM4NCAyMDIwIENBMTB2MBAGByqGSM49AgEGBSuBBAAiA2IA -BMEbxppbmNmkKaDp1AS12+umsmxVwP/tmMZJLwYnUcu/cMEFesOxnYeJuq20ExfJ -qLSDyLiQ0cx0NTY8g3KwtdD3ImnI8YDEe0CPz2iHJlw5ifFNkU3aiYvkA8ND5b8v -c6OCAYIwggF+MBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFAq8CCkXjKU5 -bXoOzjPHLrPt+8N6MB8GA1UdIwQYMBaAFAPeUDVW0Uy7ZvCj4hsbw5eyPdFVMA4G -A1UdDwEB/wQEAwIBhjAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwdgYI -KwYBBQUHAQEEajBoMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5j -b20wQAYIKwYBBQUHMAKGNGh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdp -Q2VydEdsb2JhbFJvb3RDQS5jcnQwQgYDVR0fBDswOTA3oDWgM4YxaHR0cDovL2Ny -bDMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0R2xvYmFsUm9vdENBLmNybDA9BgNVHSAE -NjA0MAsGCWCGSAGG/WwCATAHBgVngQwBATAIBgZngQwBAgEwCAYGZ4EMAQICMAgG -BmeBDAECAzANBgkqhkiG9w0BAQwFAAOCAQEAR1mBf9QbH7Bx9phdGLqYR5iwfnYr -6v8ai6wms0KNMeZK6BnQ79oU59cUkqGS8qcuLa/7Hfb7U7CKP/zYFgrpsC62pQsY -kDUmotr2qLcy/JUjS8ZFucTP5Hzu5sn4kL1y45nDHQsFfGqXbbKrAjbYwrwsAZI/ -BKOLdRHHuSm8EdCGupK8JvllyDfNJvaGEwwEqonleLHBTnm8dqMLUeTF0J5q/hos -Vq4GNiejcxwIfZMy0MJEGdqN9A57HSgDKwmKdsp33Id6rHtSJlWncg+d0ohP/rEh -xRqhqjn1VtvChMQ1H3Dau0bwhr9kAMQ+959GG50jBbl9s08PqUU643QwmA== ------END CERTIFICATE----- diff --git a/examples/wolfssl_client/main/wolfssl_client_demo.c b/examples/wolfssl_client/main/wolfssl_client_demo.c deleted file mode 100644 index c8e7ff1..0000000 --- a/examples/wolfssl_client/main/wolfssl_client_demo.c +++ /dev/null @@ -1,274 +0,0 @@ -/* wolfSSL example - - This example code is in the Public Domain (or CC0 licensed, at your option.) - - Unless required by applicable law or agreed to in writing, this - software is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR - CONDITIONS OF ANY KIND, either express or implied. -*/ - -#include - -#include "esp_wifi.h" -#include "esp_event.h" -#include "esp_log.h" - -#include "nvs_flash.h" - -#include "freertos/FreeRTOS.h" -#include "freertos/task.h" -#include "freertos/event_groups.h" - -#include -#include -#include "lwip/apps/sntp.h" -#include "protocol_examples_common.h" -#include -#include "wolfssl/ssl.h" -#include "esp_netif.h" - -#if CONFIG_EXAMPLE_SERVER_CERT_VERIFY -extern const uint8_t server_root_cert_pem_start[] asm("_binary_server_root_cert_pem_start"); -extern const uint8_t server_root_cert_pem_end[] asm("_binary_server_root_cert_pem_end"); -#endif - -/* Constants that aren't configurable in menuconfig */ -#define WEB_SERVER "api.github.com" -#define WEB_PORT (443) -#define WEB_URL "https://api.github.com/zen" - -#define REQUEST "GET " WEB_URL " HTTP/1.0\r\n" \ - "Host: "WEB_SERVER"\r\n" \ - "User-Agent: esp-idf/1.0 esp32\r\n" \ - "\r\n" -/* - * NOTE: To turn on debug logs for wolfSSL component and this example, uncomment - * #define DEBUF_WOLFSSL in file components/wolfssl/port/user_settings.h - */ - -#define WOLFSSL_DEMO_THREAD_NAME "wolfssl_client" -#ifdef DEBUG_WOLFSSL -#define WOLFSSL_DEMO_THREAD_STACK_WORDS 8192 -#else -#define WOLFSSL_DEMO_THREAD_STACK_WORDS 4096 -#endif /* DEBUG_WOLFSSL */ -#define WOLFSSL_DEMO_THREAD_PRORIOTY 6 -#define WOLFSSL_DEMO_SNTP_SERVERS "time.google.com" -#define WOLFSSL_CIPHER_LIST_MAX_SIZE 2048 - -static const char *TAG = "wolfssl_client"; - -const char send_data[] = REQUEST; -const int32_t send_bytes = sizeof(send_data); -char recv_data[1024] = {0}; - -#ifdef DEBUG_WOLFSSL -static void show_ciphers(void) -{ - char *ciphers = calloc(WOLFSSL_CIPHER_LIST_MAX_SIZE, sizeof(char)); - if (ciphers != NULL) { - int ret = wolfSSL_get_ciphers(ciphers, WOLFSSL_CIPHER_LIST_MAX_SIZE); - if (ret == WOLFSSL_SUCCESS) { - ESP_LOGI(TAG, "Available Ciphers: \n%s", ciphers); - } else { - ESP_LOGE(TAG, "Failed to get cipher list!"); - } - free(ciphers); - } -} -#endif - -static void get_time() -{ - struct timeval now; - int sntp_retry_cnt = 0; - int sntp_retry_time = 0; - - sntp_setoperatingmode(0); - sntp_setservername(0, WOLFSSL_DEMO_SNTP_SERVERS); - sntp_init(); - - while (1) { - for (int32_t i = 0; (i < (SNTP_RECV_TIMEOUT / 100)) && now.tv_sec < 1657621503; i++) { - vTaskDelay(100 / portTICK_PERIOD_MS); - gettimeofday(&now, NULL); - } - - if (now.tv_sec < 1657621503) { - sntp_retry_time = SNTP_RECV_TIMEOUT << sntp_retry_cnt; - - if (SNTP_RECV_TIMEOUT << (sntp_retry_cnt + 1) < SNTP_RETRY_TIMEOUT_MAX) { - sntp_retry_cnt ++; - } - - ESP_LOGI(TAG, "SNTP get time failed, retry after %d ms", sntp_retry_time); - vTaskDelay(sntp_retry_time / portTICK_PERIOD_MS); - } else { - ESP_LOGI(TAG, "SNTP get time success"); - break; - } - } -} - -static void wolfssl_client(void *pv) -{ -#ifdef DEBUG_WOLFSSL - wolfSSL_Debugging_ON(); - show_ciphers(); -#endif /* DEBUG_WOLFSSL */ - int32_t ret = 0; - - const TickType_t xDelay = 500 / portTICK_PERIOD_MS; - WOLFSSL_CTX *ctx = NULL; - WOLFSSL *ssl = NULL; - - int32_t sockfd = -1; - struct sockaddr_in sock_addr; - struct hostent *entry = NULL; - - /* CA date verification need system time */ - get_time(); - - while (1) { - - ESP_LOGI(TAG, "Setting hostname for TLS session..."); - /*get addr info for hostname*/ - do { - entry = gethostbyname(WEB_SERVER); - vTaskDelay(xDelay); - } while (entry == NULL); - - ESP_LOGI(TAG, "Init wolfSSL..."); - ret = wolfSSL_Init(); - - if (ret != WOLFSSL_SUCCESS) { - ESP_LOGI(TAG, "Init wolfSSL failed:%d...", ret); - goto failed1; - } - - ESP_LOGI(TAG, "Set wolfSSL ctx ..."); -/* - * NOTE: To turn off TLS 1.3 only mode for wolfSSL component, comment - * #define WOLFSSL_TLS13 in file ../components/wolfssl/port/user_settings.h - */ -#ifdef WOLFSSL_TLS13 - ctx = (void *)wolfSSL_CTX_new(wolfTLSv1_3_client_method()); -#else - ctx = (void *)wolfSSL_CTX_new(wolfTLSv1_2_client_method()); -#endif - if (!ctx) { - ESP_LOGI(TAG, "Set wolfSSL ctx failed..."); - goto failed1; - } - - ESP_LOGI(TAG, "Create socket ..."); - sockfd = socket(AF_INET, SOCK_STREAM, 0); - - if (sockfd < 0) { - ESP_LOGI(TAG, "Create socket failed..."); - goto failed2; - } - -#if CONFIG_EXAMPLE_SERVER_CERT_VERIFY - ESP_LOGI(TAG, "Loading the CA root certificate..."); - ret = wolfSSL_CTX_load_verify_buffer(ctx, server_root_cert_pem_start, server_root_cert_pem_end - server_root_cert_pem_start, WOLFSSL_FILETYPE_PEM); - - if (WOLFSSL_SUCCESS != ret) { - ESP_LOGE(TAG, "Loading the CA root certificate failed..."); - goto failed3; - } - wolfSSL_CTX_set_verify(ctx, WOLFSSL_VERIFY_PEER, NULL); -#else - wolfSSL_CTX_set_verify(ctx, WOLFSSL_VERIFY_NONE, NULL); -#endif - - memset(&sock_addr, 0, sizeof(sock_addr)); - sock_addr.sin_family = AF_INET; - sock_addr.sin_port = htons(WEB_PORT); - sock_addr.sin_addr.s_addr = ((struct in_addr *)(entry->h_addr))->s_addr; - - ESP_LOGI(TAG, "Connecting to %s:%d...", WEB_SERVER, WEB_PORT); - ret = connect(sockfd, (struct sockaddr *)&sock_addr, sizeof(sock_addr)); - - if (ret) { - ESP_LOGE(TAG, "Connecting to %s:%d failed: %d", WEB_SERVER, WEB_PORT, ret); - goto failed3; - } - - ESP_LOGI(TAG, "Create wolfSSL..."); - ssl = wolfSSL_new(ctx); - if (!ssl) { - ESP_LOGE(TAG, "Create wolfSSL failed..."); - goto failed3; - } - wolfSSL_set_fd(ssl, sockfd); - - ESP_LOGI(TAG, "Performing the SSL/TLS handshake..."); - ret = wolfSSL_connect(ssl); - - if (WOLFSSL_SUCCESS != ret) { - ESP_LOGE(TAG, "Performing the SSL/TLS handshake failed:%d", ret); - goto failed4; - } - - ESP_LOGI(TAG, "Writing HTTPS request..."); - ret = wolfSSL_write(ssl, send_data, send_bytes); - if (ret <= 0) { - ESP_LOGE(TAG, "Writing HTTPS request failed:%d", ret); - goto failed5; - } - - ESP_LOGI(TAG, "Reading HTTPS response..."); - - do { - ret = wolfSSL_read(ssl, recv_data, sizeof(recv_data)); - if (ret <= 0) { - ESP_LOGW(TAG, "Connection closed"); - break; - } - - /* Print response directly to stdout as it is read */ - for (int i = 0; i < ret; i++) { - printf("%c", recv_data[i]); - } - printf("\n"); - } while (1); - -failed5: - wolfSSL_shutdown(ssl); -failed4: - wolfSSL_free(ssl); -failed3: - close(sockfd); -failed2: - wolfSSL_CTX_free(ctx); -failed1: - wolfSSL_Cleanup(); - - for (int countdown = 10; countdown >= 0; countdown--) { - ESP_LOGI(TAG, "%d...", countdown); - vTaskDelay(1000 / portTICK_PERIOD_MS); - } - - ESP_LOGI(TAG, "Starting again!"); - } -} - -void app_main(void) -{ - ESP_ERROR_CHECK(nvs_flash_init()); - ESP_ERROR_CHECK(esp_netif_init()); - ESP_ERROR_CHECK(esp_event_loop_create_default()); - - /* This helper function configures Wi-Fi or Ethernet, as selected in menuconfig. - * Read "Establishing Wi-Fi or Ethernet Connection" section in - * examples/protocols/README.md for more information about this function. - */ - ESP_ERROR_CHECK(example_connect()); - xTaskCreate(wolfssl_client, - WOLFSSL_DEMO_THREAD_NAME, - WOLFSSL_DEMO_THREAD_STACK_WORDS, - NULL, - WOLFSSL_DEMO_THREAD_PRORIOTY, - NULL); -} diff --git a/examples/wolfssl_test/CMakeLists.txt b/examples/wolfssl_test/CMakeLists.txt new file mode 100644 index 0000000..6e70b4a --- /dev/null +++ b/examples/wolfssl_test/CMakeLists.txt @@ -0,0 +1,15 @@ +# wolfSSL Espressif Example Project CMakeLists.txt +# v1.1 +# +# The following lines of boilerplate have to be in your project's +# CMakeLists in this exact order for cmake to work correctly +cmake_minimum_required(VERSION 3.5) + +add_compile_options(-DWOLFSSL_ESP_NO_WATCHDOG=1) + +include($ENV{IDF_PATH}/tools/cmake/project.cmake) + +# Not only is a project-level "set(COMPONENTS" not needed here, this will cause +# an unintuitive error about Unknown CMake command "esptool_py_flash_project_args". + +project(wolfssl_test) diff --git a/examples/wolfssl_test/README.md b/examples/wolfssl_test/README.md new file mode 100644 index 0000000..ee66039 --- /dev/null +++ b/examples/wolfssl_test/README.md @@ -0,0 +1,175 @@ +# wolfSSL Crypt Test Example + +This is the ESP32 Version of the [wolfSSL wolfcrypt test application](https://github.com/wolfSSL/wolfssl/tree/master/wolfcrypt/test). + +For general information on [wolfSSL examples for Espressif](../README.md), see the +[README](https://github.com/wolfSSL/wolfssl/blob/master/IDE/Espressif/ESP-IDF/README.md) file. + +## ESP Registry + +The easiest way to get started with wolfSSL is by using the +[ESP Registry](https://components.espressif.com/components/wolfssl/wolfssl/) examples. + +``` +. ~/esp/esp-idf/export.sh +idf.py create-project-from-example "wolfssl/wolfssl^5.6.0-stable:wolfssl_test" +cd wolfssl_benchmark +idf.py -b 115200 flash monitor +``` + +## VisualGDB + +Open the VisualGDB Visual Studio Project file in the [VisualGDB directory](./VisualGDB/README.md) and click the "Start" button. +No wolfSSL setup is needed. You may need to adjust your specific COM port. The default is `COM20`. + +## ESP-IDF Commandline + +1. `idf.py menuconfig` to configure the program. + 1-1. Example Configuration -> + + TEST_ARG : argument that you want to use. Default is "-lng 0" + The list of argument can be find in help. + +When you want to run the test program + +1. `idf.py -p flash` to compile and load the firmware +2. `idf.py monitor` to see the message + +See the README.md file in the upper level 'examples' directory for more information about examples. + +Reminder than when building on WSL in `/mnt/c` there will be a noticeable performance degradation at compile time. Using `~/` will be faster at the cost of shared filesystems. + +Example build on WSL, assuming `git clone` from `c:\workspace`: + +``` +WRK_IDF_PATH=/mnt/c/SysGCC/esp32/esp-idf/v5.1 + +echo "Run export.sh from ${WRK_IDF_PATH}" +. ${WRK_IDF_PATH}/export.sh + +# switch to test example +cd /mnt/c/workspace/wolfssl/IDE/Espressif/ESP-IDF/examples/wolfssl_test + +# Pick ESP-IDF install directory, this one for v5.1 in VisualGDB +. /mnt/c/SysGCC/esp32/esp-idf/v5.1/export.sh + +# set target chipset +idf.py set-target esp32s3 + +# erase +idf.py erase-flash -p /dev/ttyS24 -b 115200 + +# start with a low upload speed, then increase as found operational +idf.py +# build and flash, in this example to COM24 +idf.py build flash -p /dev/ttyS24 -b 115200 monitor +``` + +## Example Output + +Note the default wolfSSL `user_settings.h` is configured by default to be the most +compatible across the widest ranges of targets. Contact wolfSSL at support@wolfssl.com +for help in optimizing for your particular application, or see the +[docs](https://www.wolfssl.com/documentation/manuals/wolfssl/index.html). + +Compiled and flashed with `idf.py build flash -p /dev/ttyS7 -b 115200 monitor`: + +``` +ets Jun 8 2016 00:22:57 + +rst:0x3 (SW_RESET),boot:0x13 (SPI_FAST_FLASH_BOOT) +configsip: 0, SPIWP:0xee +clk_drv:0x00,q_drv:0x00,d_drv:0x00,cs0_drv:0x00,hd_drv:0x00,wp_drv:0x00 +mode:DIO, clock div:2 +load:0x3fff0030,len:6612 +load:0x40078000,len:14788 +load:0x40080400,len:3792 +entry 0x40080694 +I (26) boot: ESP-IDF v4.4.1-dirty 2nd stage bootloader +I (26) boot: compile time 15:25:38 +I (26) boot: chip revision: 1 +I (29) boot_comm: chip revision: 1, min. bootloader chip revision: 0 +I (37) boot.esp32: SPI Speed : 40MHz +I (41) boot.esp32: SPI Mode : DIO +I (46) boot.esp32: SPI Flash Size : 2MB +I (50) boot: Enabling RNG early entropy source... +I (56) boot: Partition Table: +I (59) boot: ## Label Usage Type ST Offset Length +I (67) boot: 0 nvs WiFi data 01 02 00009000 00006000 +I (74) boot: 1 phy_init RF data 01 01 0000f000 00001000 +I (81) boot: 2 factory factory app 00 00 00010000 00100000 +I (89) boot: End of partition table +I (93) boot_comm: chip revision: 1, min. application chip revision: 0 +I (100) esp_image: segment 0: paddr=00010020 vaddr=3f400020 size=16ca4h ( 93348) map +I (143) esp_image: segment 1: paddr=00026ccc vaddr=3ffb0000 size=024d4h ( 9428) load +I (147) esp_image: segment 2: paddr=000291a8 vaddr=40080000 size=06e70h ( 28272) load +I (160) esp_image: segment 3: paddr=00030020 vaddr=400d0020 size=412d8h (266968) map +I (257) esp_image: segment 4: paddr=00071300 vaddr=40086e70 size=045a8h ( 17832) load +I (265) esp_image: segment 5: paddr=000758b0 vaddr=50000000 size=00010h ( 16) load +I (270) boot: Loaded app from partition at offset 0x10000 +I (270) boot: Disabling RNG early entropy source... +I (285) cpu_start: Pro cpu up. +I (286) cpu_start: Starting app cpu, entry point is 0x40081088 +I (273) cpu_start: App cpu up. +I (300) cpu_start: Pro cpu start user code +I (300) cpu_start: cpu freq: 160000000 +I (300) cpu_start: Application information: +I (305) cpu_start: Project name: wolfssl_test +I (310) cpu_start: App version: v5.5.3-stable-108-gbd7b442df-di +I (317) cpu_start: Compile time: Nov 17 2022 15:24:40 +I (323) cpu_start: ELF file SHA256: 90957eeb4f0d2246... +I (329) cpu_start: ESP-IDF: v4.4.1-dirty +I (335) heap_init: Initializing. RAM available for dynamic allocation: +I (342) heap_init: At 3FFAE6E0 len 00001920 (6 KiB): DRAM +I (348) heap_init: At 3FFB2DF0 len 0002D210 (180 KiB): DRAM +I (354) heap_init: At 3FFE0440 len 00003AE0 (14 KiB): D/IRAM +I (360) heap_init: At 3FFE4350 len 0001BCB0 (111 KiB): D/IRAM +I (367) heap_init: At 4008B418 len 00014BE8 (82 KiB): IRAM +I (374) spi_flash: detected chip: generic +I (378) spi_flash: flash io: dio +W (382) spi_flash: Detected size(4096k) larger than the size in the binary image header(2048k). Using the size in the binary image header. +I (396) cpu_start: Starting scheduler on PRO CPU. +I (0) cpu_start: Starting scheduler on APP CPU. +------------------------------------------------------------------------------ + wolfSSL version 5.5.3 +------------------------------------------------------------------------------ +error test passed! +MEMORY test passed! +base64 test passed! +asn test passed! +RANDOM test passed! +MD5 test passed! +MD4 test passed! +SHA test passed! +SHA-256 test passed! +SHA-512 test passed! +Hash test passed! +HMAC-MD5 test passed! +HMAC-SHA test passed! +HMAC-SHA256 test passed! +HMAC-SHA512 test passed! +HMAC-KDF test passed! +TLSv1.3 KDF test passed! +GMAC test passed! +DES test passed! +DES3 test passed! +AES test passed! +AES192 test passed! +AES256 test passed! +AES-GCM test passed! +RSA test passed! +PWDBASED test passed! +ECC test passed! +ECC buffer test passed! +CURVE25519 test passed! +ED25519 test passed! +logging test passed! +time test passed! +mutex test passed! +Test complete +I (136548) wolfcrypt_test: Exiting main with return code: 0 + +I (136548) wolfssl_test: wolf_test_task complete success result code = 0 +``` + +See the README.md file in the upper level 'examples' directory for [more information about examples](../README.md). diff --git a/examples/wolfssl_test/main/CMakeLists.txt b/examples/wolfssl_test/main/CMakeLists.txt new file mode 100644 index 0000000..2fe1790 --- /dev/null +++ b/examples/wolfssl_test/main/CMakeLists.txt @@ -0,0 +1,9 @@ +# +# wolfssl crypt test +# +set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DWOLFSSL_USER_SETTINGS") + +idf_component_register(SRCS + "main.c" + INCLUDE_DIRS + ".") diff --git a/examples/wolfssl_test/main/Kconfig.projbuild b/examples/wolfssl_test/main/Kconfig.projbuild new file mode 100644 index 0000000..264c808 --- /dev/null +++ b/examples/wolfssl_test/main/Kconfig.projbuild @@ -0,0 +1,29 @@ +menu "Example Configuration" + +config BENCH_ARGV + string "Arguments for benchmark test" + default "-lng 0" + help + -? Help, print this usage + 0: English, 1: Japanese + -csv Print terminal output in csv format + -base10 Display bytes as power of 10 (eg 1 kB = 1000 Bytes) + -no_aad No additional authentication data passed. + -dgst_full Full digest operation performed. + -rsa_sign Measure RSA sign/verify instead of encrypt/decrypt. + - Algorithm to benchmark. Available algorithms include: + cipher aes-cbc aes-gcm chacha20 chacha20-poly1305 + digest md5 poly1305 sha sha2 sha224 sha256 sha384 sha512 sha3 + sha3-224 sha3-256 sha3-384 sha3-512 + mac hmac hmac-md5 hmac-sha hmac-sha224 hmac-sha256 hmac-sha384 + hmac-sha512 + asym rsa rsa-sz dh ecc-kg ecc + other rng + -lng Display benchmark result by specified language. + 0: English, 1: Japanese + Size of block in bytes + + e.g -lng 1 + e.g sha + +endmenu diff --git a/examples/wolfssl_test/main/idf_component.yml b/examples/wolfssl_test/main/idf_component.yml new file mode 100644 index 0000000..b64adee --- /dev/null +++ b/examples/wolfssl_test/main/idf_component.yml @@ -0,0 +1,5 @@ +dependencies: + esp-wolfssl: + override_path: '../../../' + idf: + version: ">=5.3.0" diff --git a/examples/wolfssl_test/main/include/main.h b/examples/wolfssl_test/main/include/main.h new file mode 100755 index 0000000..94d9132 --- /dev/null +++ b/examples/wolfssl_test/main/include/main.h @@ -0,0 +1,24 @@ +/* template main.h + * + * Copyright (C) 2006-2024 wolfSSL Inc. + * + * This file is part of wolfSSL. + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA + */ +#ifndef _MAIN_H_ +#define _MAIN_H_ + +#endif diff --git a/examples/wolfssl_test/main/main.c b/examples/wolfssl_test/main/main.c new file mode 100644 index 0000000..315ff30 --- /dev/null +++ b/examples/wolfssl_test/main/main.c @@ -0,0 +1,290 @@ +/* main.c + * + * Copyright (C) 2006-2024 wolfSSL Inc. + * + * This file is part of wolfSSL. + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA + */ + +/* ESP-IDF */ +#include +#include "sdkconfig.h" + +/* wolfSSL */ +/* Always include wolfcrypt/settings.h before any other wolfSSL file. */ +/* Reminder: settings.h pulls in user_settings.h; don't include it here. */ +#ifdef WOLFSSL_USER_SETTINGS + #include + #ifndef WOLFSSL_ESPIDF + #warning "Problem with wolfSSL user_settings." + #warning "Check components/wolfssl/include" + #endif + #include + #include + #include + #include + #include +#else + /* Define WOLFSSL_USER_SETTINGS project wide for settings.h to include */ + /* wolfSSL user settings in ./components/wolfssl/include/user_settings.h */ + #error "Missing WOLFSSL_USER_SETTINGS in CMakeLists or Makefile:\ + CFLAGS +=-DWOLFSSL_USER_SETTINGS" +#endif + +#include "driver/uart.h" + + +/* set to 0 for one test, +** set to 1 for continuous test loop */ +#define TEST_LOOP 0 + +#define THIS_MONITOR_UART_RX_BUFFER_SIZE 200 + +#ifdef CONFIG_ESP8266_XTAL_FREQ_26 + /* 26MHz crystal: 74880 bps */ + #define THIS_MONITOR_UART_BAUD_DATE 74880 +#else + /* 40MHz crystal: 115200 bps */ + #define THIS_MONITOR_UART_BAUD_DATE 115200 +#endif + +/* +** the wolfssl component can be installed in either: +** +** - the ESP-IDF component directory +** +** ** OR ** +** +** - the local project component directory +** +** it is not recommended to install in both. +** +*/ + +/* +** although the wolfcrypt/test includes a default time setting, +** see wolfssl/wolfcrypt/port/Espressif/esp-sdk-lib.h */ + +#undef WOLFSSL_USE_TIME_HELPER + +/* see wolfssl/wolfcrypt/test/test.h */ +extern void wolf_crypt_task(); + +static const char* const TAG = "wolfssl_test"; + +#if defined(WOLFSSL_ESPWROOM32SE) && defined(HAVE_PK_CALLBACKS) \ + && defined(WOLFSSL_ATECC508A) + +#include "wolfssl/wolfcrypt/port/atmel/atmel.h" + +/* when you need to use a custom slot allocation, */ +/* enable the definition CUSTOM_SLOT_ALLOCAION. */ +#if defined(CUSTOM_SLOT_ALLOCATION) + +static byte mSlotList[ATECC_MAX_SLOT]; + +/* initialize slot array */ +void my_atmel_slotInit() +{ + int i; + for (i = 0; i < ATECC_MAX_SLOT; i++) { + mSlotList[i] = ATECC_INVALID_SLOT; + } +} + +/* allocate slot depending on slotType */ +int my_atmel_alloc(int slotType) +{ + int i, slot = ATECC_INVALID_SLOT; + + switch (slotType) { + case ATMEL_SLOT_ENCKEY: + slot = 4; + break; + case ATMEL_SLOT_DEVICE: + slot = 0; + break; + case ATMEL_SLOT_ECDHE: + slot = 0; + break; + case ATMEL_SLOT_ECDHE_ENC: + slot = 4; + break; + case ATMEL_SLOT_ANY: + for (i = 0; i < ATECC_MAX_SLOT; i++) { + if (mSlotList[i] == ATECC_INVALID_SLOT) { + slot = i; + break; + } /* if */ + } /* for */ + } /* switch */ + + return slot; +} + +/* free slot array */ +void my_atmel_free(int slotId) +{ + if (slotId >= 0 && slotId < ATECC_MAX_SLOT) { + mSlotList[slotId] = ATECC_INVALID_SLOT; + } +} + +#endif /* CUSTOM_SLOT_ALLOCATION */ +#endif /* WOLFSSL_ESPWROOM32SE && HAVE_PK_CALLBACK && WOLFSSL_ATECC508A */ + +/* entry point */ +void app_main(void) +{ + uart_config_t uart_config = { + .baud_rate = THIS_MONITOR_UART_BAUD_DATE, + .data_bits = UART_DATA_8_BITS, + .parity = UART_PARITY_DISABLE, + .stop_bits = UART_STOP_BITS_1, + }; + esp_err_t ret = 0; + wc_ptr_t stack_start = esp_sdk_stack_pointer(); + + /* uart_set_pin(UART_NUM_0, TX_PIN, RX_PIN, + * UART_PIN_NO_CHANGE, UART_PIN_NO_CHANGE); */ + + /* Some targets may need to have UART speed set. TODO: which? */ + ESP_LOGI(TAG, "UART init"); + uart_param_config(UART_NUM_0, &uart_config); + uart_driver_install(UART_NUM_0, + THIS_MONITOR_UART_RX_BUFFER_SIZE, 0, 0, NULL, 0); + + ESP_LOGI(TAG, "------------------ wolfSSL Test Example ----------------"); + ESP_LOGI(TAG, "--------------------------------------------------------"); + ESP_LOGI(TAG, "--------------------------------------------------------"); + ESP_LOGI(TAG, "---------------------- BEGIN MAIN ----------------------"); + ESP_LOGI(TAG, "--------------------------------------------------------"); + ESP_LOGI(TAG, "--------------------------------------------------------"); + ESP_LOGI(TAG, "Stack Start: 0x%x", stack_start); + +#ifdef WOLFSSL_ESP_NO_WATCHDOG + ESP_LOGW(TAG, "Found WOLFSSL_ESP_NO_WATCHDOG, disabling..."); + esp_DisableWatchdog(); +#endif + +#ifdef ESP_TASK_MAIN_STACK + ESP_LOGI(TAG, "ESP_TASK_MAIN_STACK: %d", ESP_TASK_MAIN_STACK); +#endif +#ifdef TASK_EXTRA_STACK_SIZE + ESP_LOGI(TAG, "TASK_EXTRA_STACK_SIZE: %d", TASK_EXTRA_STACK_SIZE); +#endif +#ifdef INCLUDE_uxTaskGetStackHighWaterMark + ESP_LOGI(TAG, "CONFIG_ESP_MAIN_TASK_STACK_SIZE = %d bytes (%d words)", + CONFIG_ESP_MAIN_TASK_STACK_SIZE, + (int)(CONFIG_ESP_MAIN_TASK_STACK_SIZE / sizeof(void*))); + + /* Returns the high water mark of the stack associated with xTask. That is, + * the minimum free stack space there has been (in bytes not words, unlike + * vanilla FreeRTOS) since the task started. The smaller the returned + * number the closer the task has come to overflowing its stack. + * see https://docs.espressif.com/projects/esp-idf/en/latest/esp32/api-reference/system/freertos_idf.html + */ + stack_start = uxTaskGetStackHighWaterMark(NULL); + ESP_LOGI(TAG, "Stack Start HWM: %d bytes", stack_start); +#endif + +#ifdef HAVE_VERSION_EXTENDED_INFO + esp_ShowExtendedSystemInfo(); +#endif + + /* all platforms: stack high water mark check */ + ESP_LOGI(TAG, "Stack HWM: %d\n", uxTaskGetStackHighWaterMark(NULL)); + +#if defined (WOLFSSL_USE_TIME_HELPER) + set_time(); +#endif + +/* when using atecc608a on esp32-WROOM-32se */ +#if defined(WOLFSSL_ESPWROOM32SE) && defined(HAVE_PK_CALLBACKS) \ + && defined(WOLFSSL_ATECC508A) + #if defined(CUSTOM_SLOT_ALLOCATION) + my_atmel_slotInit(); + /* to register the callback, it needs to be initialized. */ + if ((wolfCrypt_Init()) != 0) { + ESP_LOGE(TAG, "wolfCrypt_Init failed"); + return; + } + atmel_set_slot_allocator(my_atmel_alloc, my_atmel_free); + #endif +#endif + +#ifdef NO_CRYPT_TEST + ESP_LOGI(TAG, "NO_CRYPT_TEST defined, skipping wolf_test_task"); +#else + /* Although wolfCrypt_Init() may be explicitly called above, + ** Note it is still always called in wolf_test_task. + */ + int loops = 0; + do { + #if defined(WOLFSSL_HW_METRICS) && defined(WOLFSSL_HAS_METRICS) + esp_hw_show_metrics(); + #endif + ret = wolf_test_task(); + ESP_LOGI(TAG, "Stack HWM: %d\n", uxTaskGetStackHighWaterMark(NULL)); + ESP_LOGI(TAG, "loops = %d", loops); + + loops++; + } + while (TEST_LOOP && (ret == 0)); + +#if defined TEST_LOOP && (TEST_LOOP == 1) + ESP_LOGI(TAG, "Test loops completed: %d", loops); +#endif + + /* note wolfCrypt_Cleanup() should always be called when finished. + ** This is called at the end of wolf_test_task(); + */ + +#if defined(DEBUG_WOLFSSL) && defined(WOLFSSL_ESP32_CRYPT_RSA_PRI) + esp_hw_show_mp_metrics(); +#endif + +#ifdef INCLUDE_uxTaskGetStackHighWaterMark + ESP_LOGI(TAG, "Stack HWM: %d", uxTaskGetStackHighWaterMark(NULL)); + + ESP_LOGI(TAG, "Stack used: %d", CONFIG_ESP_MAIN_TASK_STACK_SIZE + - (uxTaskGetStackHighWaterMark(NULL))); +#endif + +#ifdef WOLFSSL_ESPIDF_VERBOSE_EXIT_MESSAGE + if (ret == 0) { + ESP_LOGI(TAG, WOLFSSL_ESPIDF_VERBOSE_EXIT_MESSAGE("Success!", ret)); + } + else { + ESP_LOGE(TAG, WOLFSSL_ESPIDF_VERBOSE_EXIT_MESSAGE("Failed!", ret)); + } +#elif defined(WOLFSSL_ESPIDF_EXIT_MESSAGE) + ESP_LOGI(TAG, WOLFSSL_ESPIDF_EXIT_MESSAGE); +#else + ESP_LOGI(TAG, "\n\nDone!\n\n" + "If running from idf.py monitor, press twice: Ctrl+]"); +#endif + + /* done */ + while (1) { +#if defined(SINGLE_THREADED) + while (1); +#else + vTaskDelay(60000); +#endif + } /* done while */ +#endif +} diff --git a/examples/wolfssl_test/partitions_singleapp_large.csv b/examples/wolfssl_test/partitions_singleapp_large.csv new file mode 100644 index 0000000..5a1a339 --- /dev/null +++ b/examples/wolfssl_test/partitions_singleapp_large.csv @@ -0,0 +1,34 @@ +# This tag is used to include this file in the ESP Component Registry: +# __ESP_COMPONENT_SOURCE__ + +# to view: idf.py partition-table +# +# ESP-IDF Partition Table +# Name, Type, SubType, Offset, Size, Flags +nvs, data, nvs, 0x9000, 24K, +phy_init,data, phy, 0xf000, 4K, +factory, app, factory, 0x10000, 1500K, + + +# For other settings, see: +# https://docs.espressif.com/projects/esp-idf/en/latest/esp32/api-guides/partition-tables.html#creating-custom-tables +# +# Here is the summary printed for the “Single factory app, no OTA” configuration: +# +# # ESP-IDF Partition Table +# # Name, Type, SubType, Offset, Size, Flags +# nvs, data, nvs, 0x9000, 0x6000, +# phy_init, data, phy, 0xf000, 0x1000, +# factory, app, factory, 0x10000, 1M, +# +# +# Here is the summary printed for the “Factory app, two OTA definitions” configuration: +# +# # ESP-IDF Partition Table +# # Name, Type, SubType, Offset, Size, Flags +# nvs, data, nvs, 0x9000, 0x4000, +# otadata, data, ota, 0xd000, 0x2000, +# phy_init, data, phy, 0xf000, 0x1000, +# factory, app, factory, 0x10000, 1M, +# ota_0, app, ota_0, 0x110000, 1M, +# ota_1, app, ota_1, 0x210000, 1M, diff --git a/examples/wolfssl_test/sdkconfig.defaults b/examples/wolfssl_test/sdkconfig.defaults new file mode 100644 index 0000000..2a5ad75 --- /dev/null +++ b/examples/wolfssl_test/sdkconfig.defaults @@ -0,0 +1,98 @@ +# sdkconfig.defaults for ESP8266 + ESP32 +# Note that during the build process, settings from sdkconfig.defaults will not override those already in sdkconfig. +# See https://docs.espressif.com/projects/esp-idf/en/latest/esp32/api-guides/build-system.html#custom-sdkconfig-defaults +CONFIG_BENCH_ARGV="-lng 0" +CONFIG_FREERTOS_HZ=1000 +CONFIG_ESP32_DEFAULT_CPU_FREQ_240=y + +# +# Default main stack size. See user_settings.h +# +# For wolfSSL SMALL_STACK, 3072 bytes should be sufficient for benchmark app. +# When using RSA, assign at least 10500 bytes, otherwise 5500 usually works for others +CONFIG_ESP_MAIN_TASK_STACK_SIZE=10500 + +# Legacy stack size for older ESP-IDF versions +CONFIG_MAIN_TASK_STACK_SIZE=10500 + +# +# Benchmark must not have CONFIG_NEWLIB_NANO_FORMAT enabled +CONFIG_NEWLIB_NANO_FORMAT=n +# +# Watchdog Timers +# +# We don't want to have the watchdog timeout during tests & benchmarks +# +CONFIG_ESP_TASK_WDT_CHECK_IDLE_TASK_CPU0=n +CONFIG_ESP_TASK_WDT_CHECK_IDLE_TASK_CPU1=n +# Panic & Watchdog +CONFIG_ESP_INT_WDT_TIMEOUT_MS=10000 +CONFIG_ESP_TASK_WDT_EN=n +CONFIG_ESP_SYSTEM_PANIC_PRINT_HALT=y +CONFIG_ESP_INT_WDT=n + +# ESP8266 WDT +# CONFIG_ESP_PANIC_PRINT_REBOOT is not set +CONFIG_ESP_PANIC_PRINT_REBOOT=n +CONFIG_ESP_PANIC_PRINT_HALT=y + +# CONFIG_ESP_HTTP_CLIENT_ENABLE_HTTPS is not set +CONFIG_ESP_HTTP_CLIENT_ENABLE_HTTPS=n + +# ESP8266 Memory +CONFIG_FREERTOS_GLOBAL_DATA_LINK_IRAM=y +CONFIG_HEAP_DISABLE_IRAM=y + +# Performance +# CONFIG_COMPILER_OPTIMIZATION_PERF=y + +# Set max COU frequency (falls back as needed for lower maximum) +CONFIG_ESP_DEFAULT_CPU_FREQ_MHZ_240=y + +# FreeRTOS ticks at 1ms interval +CONFIG_FREERTOS_UNICORE=y +CONFIG_FREERTOS_HZ=1000 + +# +# Compiler options +# +CONFIG_COMPILER_OPTIMIZATION_DEFAULT=y +# CONFIG_COMPILER_OPTIMIZATION_SIZE is not set +# CONFIG_COMPILER_OPTIMIZATION_PERF is not set +# CONFIG_COMPILER_OPTIMIZATION_NONE is not set +CONFIG_COMPILER_OPTIMIZATION_ASSERTIONS_ENABLE=y +# CONFIG_COMPILER_OPTIMIZATION_ASSERTIONS_SILENT is not set +# CONFIG_COMPILER_OPTIMIZATION_ASSERTIONS_DISABLE is not set +CONFIG_COMPILER_FLOAT_LIB_FROM_GCCLIB=y +CONFIG_COMPILER_OPTIMIZATION_ASSERTION_LEVEL=2 +# CONFIG_COMPILER_OPTIMIZATION_CHECKS_SILENT is not set +CONFIG_COMPILER_HIDE_PATHS_MACROS=y +# CONFIG_COMPILER_CXX_EXCEPTIONS is not set +# CONFIG_COMPILER_CXX_RTTI is not set +# CONFIG_COMPILER_STACK_CHECK_MODE_NONE is not set +CONFIG_COMPILER_STACK_CHECK_MODE_NORM=y +# CONFIG_COMPILER_STACK_CHECK_MODE_STRONG is not set +# CONFIG_COMPILER_STACK_CHECK_MODE_ALL is not set +CONFIG_COMPILER_STACK_CHECK=y +# CONFIG_COMPILER_WARN_WRITE_STRINGS is not set +# CONFIG_COMPILER_SAVE_RESTORE_LIBCALLS is not set +# CONFIG_COMPILER_DISABLE_GCC12_WARNINGS is not set +# CONFIG_COMPILER_DUMP_RTL_FILES is not set +# end of Compiler options + +# We don't know that the min is actually v2, +# but this is the earliest tested. +CONFIG_ESP32C3_REV_MIN_2=y + +# +# Partition Table +# +# CONFIG_PARTITION_TABLE_SINGLE_APP is not set +CONFIG_PARTITION_TABLE_SINGLE_APP_LARGE=y +# CONFIG_PARTITION_TABLE_TWO_OTA is not set +# CONFIG_PARTITION_TABLE_CUSTOM is not set +CONFIG_PARTITION_TABLE_CUSTOM_FILENAME="partitions.csv" +CONFIG_PARTITION_TABLE_FILENAME="partitions_singleapp_large.csv" +CONFIG_PARTITION_TABLE_OFFSET=0x8000 +CONFIG_PARTITION_TABLE_MD5=y +# end of Partition Table diff --git a/port/user_settings.h b/port/user_settings.h index db46196..1bdcfbe 100755 --- a/port/user_settings.h +++ b/port/user_settings.h @@ -874,6 +874,10 @@ Turn on timer debugging (used when CPU cycles not available) */ #define NO_WOLFSSL_ESP32_CRYPT_HASH +/** Use reduced benchmark / test sizes + */ +#define BENCH_EMBEDDED + /** Compile-fix */ #if !defined(SINGLE_THREADED) From 8c74b21a33fca80ae38d1e44b7fbf96d0e147a98 Mon Sep 17 00:00:00 2001 From: Frank Mertens Date: Thu, 1 Aug 2024 02:59:15 +0200 Subject: [PATCH 04/11] Updated readme --- README.md | 147 +++++++++++++++++++++++++++--------------------------- 1 file changed, 73 insertions(+), 74 deletions(-) diff --git a/README.md b/README.md index f1ade1e..a9558c1 100644 --- a/README.md +++ b/README.md @@ -1,74 +1,73 @@ -ESP-WOLFSSL -=========== - -# Licensing - - ---- -**IMPORTANT NOTE** - -Until March 2021, this repository contained binary distribution of wolfSSL libraries, which could be used royalty-free on all Espressif MCU products. This royalty-free binary distribution is not available anymore. - -This repository now uses upstream wolfSSL GitHub pointer as submodule and can still be used as ESP-IDF component. Please follow licensing requirements per [wolfssl/LICENSING](https://github.com/wolfSSL/wolfssl/blob/master/LICENSING) - ---- - -# Requirements -- ESP_IDF - - To run the examples user must have installed ESP-IDF version v4.1 (minimum supported) from https://github.com/espressif/esp-idf.git - - The IDF_PATH should be set as an environment variable - -# Getting Started - -- Please clone this repository using, - ``` - git clone --recursive https://github.com/espressif/esp-wolfssl - ``` -- Please refer to https://docs.espressif.com/projects/esp-idf/en/latest/get-started/index.html for setting ESP-IDF - - ESP-IDF can be downloaded from https://github.com/espressif/esp-idf/ - - ESP-IDF v4.1 and above is recommended version -- Please refer to [example README](examples/README.md) for more information on setting up examples - -# Options (Debugging and more) -- `esp-wolfssl` esp-tls related options can be obtained by choosing SSL library as `wolfSSL` in `idf.py/make menuconfig -> Component Config -> ESP-TLS -> choose SSL Library `. -It shows following options - - - Enable SMALL_CERT_VERIFY - - This is a flag used in wolfSSL component and is enabled by default in `esp-wolfssl`. - - Enabling this flag allows user to authenticate the server by providing the Intermediate CA certificate of the server, for a more strict check disable this flag after which you will have to provide the root certificate at top of the hierarchy of certificate chain which will have `Common Name = Issuer Name`, Such a strict check is not compulsary in most cases hence by default the flag is enabled but the option is provided for the user. - - - Enable Debug Logs for wolfSSL - - This option prints detailed logs of all the internal operations, highly useful when debugging an error. - -- `esp-wolfssl` specific options (see NOTE) are available under `idf.py/make menuconfig -> Component Config -> wolfSSL`. - - - Enable ALPN ( Application Layer Protocol Negotiation ) in wolfSSL - - This option is enabled by default for wolfSSL, and can be disabled if not required. - - - Enable OCSP (Online Certificate Status Protocol) in wolfSSL - - This options is disabled by default. Enabling it adds support for checking the host's certificate revocation status - during the TLS handshake. ---- -**NOTE** - These options are valid for `esp-tls` only if `wolfSSL` is selected as its SSL/TLS Library. ---- -# Comparison of wolfSSL and mbedTLS - -The following table shows a typical comparison between wolfSSL and mbedtls when `https_request` (which has server authentication) was run with both -SSL/TLS libraries and with all respective configurations set to default. -_(mbedtls IN_CONTENT length and OUT_CONTENT length were set to 16384 bytes and 4096 bytes respectively)_ - -| Property | wolfSSL | mbedTLS | -|--------------------|----------|----------| -| Total Heap Consumed| ~19 Kb | ~37 Kb | -| Task Stack Used | ~2.2 Kb | ~3.6 Kb | -| Bin size | ~858 Kb | ~736 Kb | - -# Additional Pointers - -In general, these are links which will be useful for using both wolfSSL, as well as networked and secure applications in general. Furthermore, there is a more comprehensive tutorial that can be found in Chapter 11 of the official wolfSSL manual. The examples in the wolfSSL package and Chapter 11 do appropriate error checking, which is worth taking a look at. For a more comprehensive API, check out chapter 17 of the official manual. - -- wolfSSL Manual [https://www.wolfssl.com/docs/wolfssl-manual/]() -- wolfSSL GitHub - [https://github.com/wolfssl/wolfssl]() - +ESP-WOLFSSL +=========== + +# Licensing + + +--- +**IMPORTANT NOTE** + +Until March 2021, this repository contained binary distribution of wolfSSL libraries, which could be used royalty-free on all Espressif MCU products. This royalty-free binary distribution is not available anymore. + +This repository now uses upstream wolfSSL GitHub pointer as submodule and can still be used as ESP-IDF component. Please follow licensing requirements per [wolfssl/LICENSING](https://github.com/wolfSSL/wolfssl/blob/master/LICENSING) + +--- + +# Requirements +- ESP_IDF + - To run the examples user must have installed ESP-IDF version v5.3 (minimum supported) from https://github.com/espressif/esp-idf.git + - The IDF_PATH should be set as an environment variable + +# Getting Started + +- Please clone this repository using, + ``` + git clone --recursive https://github.com/espressif/esp-wolfssl + ``` +- Please refer to https://docs.espressif.com/projects/esp-idf/en/latest/get-started/index.html for setting ESP-IDF + - ESP-IDF can be downloaded from https://github.com/espressif/esp-idf/ + - ESP-IDF v4.1 and above is recommended version +- Please refer to [example README](examples/README.md) for more information on setting up examples + +# Options (Debugging and more) +- `esp-wolfssl` esp-tls related options can be obtained by choosing SSL library as `wolfSSL` in `idf.py/make menuconfig -> Component Config -> ESP-TLS -> choose SSL Library `. +It shows following options + + - Enable SMALL_CERT_VERIFY + - This is a flag used in wolfSSL component and is enabled by default in `esp-wolfssl`. + - Enabling this flag allows user to authenticate the server by providing the Intermediate CA certificate of the server, for a more strict check disable this flag after which you will have to provide the root certificate at top of the hierarchy of certificate chain which will have `Common Name = Issuer Name`, Such a strict check is not compulsary in most cases hence by default the flag is enabled but the option is provided for the user. + + - Enable Debug Logs for wolfSSL + - This option prints detailed logs of all the internal operations, highly useful when debugging an error. + +- `esp-wolfssl` specific options (see NOTE) are available under `idf.py/make menuconfig -> Component Config -> wolfSSL`. + + - Enable ALPN ( Application Layer Protocol Negotiation ) in wolfSSL + - This option is enabled by default for wolfSSL, and can be disabled if not required. + + - Enable OCSP (Online Certificate Status Protocol) in wolfSSL + - This options is disabled by default. Enabling it adds support for checking the host's certificate revocation status + during the TLS handshake. +--- +**NOTE** + These options are valid for `esp-tls` only if `wolfSSL` is selected as its SSL/TLS Library. +--- +# Comparison of wolfSSL and mbedTLS + +The following table shows a typical comparison between wolfSSL and mbedtls when `https_request` (which has server authentication) was run with both +SSL/TLS libraries and with all respective configurations set to default. +_(mbedtls IN_CONTENT length and OUT_CONTENT length were set to 16384 bytes and 4096 bytes respectively)_ + +| Property | wolfSSL | mbedTLS | +|--------------------|----------|----------| +| Total Heap Consumed| ~19 Kb | ~37 Kb | +| Task Stack Used | ~2.2 Kb | ~3.6 Kb | +| Bin size | ~858 Kb | ~736 Kb | + +# Additional Pointers + +In general, these are links which will be useful for using both wolfSSL, as well as networked and secure applications in general. Furthermore, there is a more comprehensive tutorial that can be found in Chapter 11 of the official wolfSSL manual. The examples in the wolfSSL package and Chapter 11 do appropriate error checking, which is worth taking a look at. For a more comprehensive API, check out chapter 17 of the official manual. + +- wolfSSL Manual [https://www.wolfssl.com/docs/wolfssl-manual/]() +- wolfSSL GitHub + [https://github.com/wolfssl/wolfssl]() From 79286a6d9be3cd84540fc9af38b4942a4b3171b2 Mon Sep 17 00:00:00 2001 From: Frank Mertens Date: Thu, 1 Aug 2024 13:10:07 +0200 Subject: [PATCH 05/11] Fix: compile fix when OCSPv1 is enabled --- port/user_settings.h | 2 ++ 1 file changed, 2 insertions(+) diff --git a/port/user_settings.h b/port/user_settings.h index 1bdcfbe..66f4bef 100755 --- a/port/user_settings.h +++ b/port/user_settings.h @@ -842,6 +842,8 @@ Turn on timer debugging (used when CPU cycles not available) #ifdef CONFIG_WOLFSSL_HAVE_OCSP #define HAVE_OCSP #define HAVE_CERTIFICATE_STATUS_REQUEST + #include + #include #endif /** Enable PKCS7 certificate parser with BER support From 83d149bcf915037f634494e1c4097eaad9fa8ff9 Mon Sep 17 00:00:00 2001 From: Frank Mertens Date: Fri, 2 Aug 2024 01:45:21 +0200 Subject: [PATCH 06/11] Enabled also OCSPv2 and clarify option help --- Kconfig | 3 ++- port/user_settings.h | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/Kconfig b/Kconfig index 03fd3ee..416607c 100644 --- a/Kconfig +++ b/Kconfig @@ -20,6 +20,7 @@ menu "wolfSSL" indicate support for OCSP when connecting as a TLS client. Server that support OCSP will forward the certificate's revocation status to the client and the client will automatically verify the servers certificate status based on the OCSP response forwarded to it. - Note: This option enables the OCSP in stapling (v1) mode for the client hence the TLS server needs to support OCSP stapling v1 . + Note: This option enables mandatory OCSP certificate status checking using OCSP stapling version 1 or 2. + The TLS server the client is connecting to must support either of the two TLS extensions. endmenu # wolfSSL diff --git a/port/user_settings.h b/port/user_settings.h index 66f4bef..c969a93 100755 --- a/port/user_settings.h +++ b/port/user_settings.h @@ -837,11 +837,12 @@ Turn on timer debugging (used when CPU cycles not available) #define HAVE_ALPN #endif -/** Optionally enable OCSPv1 +/** Optionally enable OCSP */ #ifdef CONFIG_WOLFSSL_HAVE_OCSP #define HAVE_OCSP #define HAVE_CERTIFICATE_STATUS_REQUEST + #define HAVE_CERTIFICATE_STATUS_REQUEST_V2 #include #include #endif From f854e1eea4d1e1b83540f6fba61c5cb9c8d24f23 Mon Sep 17 00:00:00 2001 From: Frank Mertens Date: Thu, 8 Aug 2024 12:29:33 +0200 Subject: [PATCH 07/11] Compile fix for ESP-IDF >=5.4 --- port/esp32/rom/aes.h | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 port/esp32/rom/aes.h diff --git a/port/esp32/rom/aes.h b/port/esp32/rom/aes.h new file mode 100644 index 0000000..0c8cd90 --- /dev/null +++ b/port/esp32/rom/aes.h @@ -0,0 +1,5 @@ +/** workaround for having wolfSSL esp32-crypt include proper header file + */ + +#include +#undef AES_BLOCK_SIZE From 7706b6e13512e91b1b7a80431af128052667b9d7 Mon Sep 17 00:00:00 2001 From: Frank Mertens Date: Tue, 3 Sep 2024 19:56:00 +0200 Subject: [PATCH 08/11] Added a Kconfig switch to enabled/disable wolfSSL debugging more easily --- CMakeLists.txt | 4 ++++ Kconfig | 7 +++++++ 2 files changed, 11 insertions(+) diff --git a/CMakeLists.txt b/CMakeLists.txt index 6be9451..d258bf9 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -150,3 +150,7 @@ idf_component_register( ) target_compile_definitions(${COMPONENT_LIB} PUBLIC WOLFSSL_USER_SETTINGS) + +if(CONFIG_WOLFSSL_DEBUGGING) + target_compile_definitions(${COMPONENT_LIB} PUBLIC DEBUG_WOLFSSL) +endif() diff --git a/Kconfig b/Kconfig index 416607c..a59c335 100644 --- a/Kconfig +++ b/Kconfig @@ -23,4 +23,11 @@ menu "wolfSSL" Note: This option enables mandatory OCSP certificate status checking using OCSP stapling version 1 or 2. The TLS server the client is connecting to must support either of the two TLS extensions. + config WOLFSSL_DEBUGGING + bool "Enable wolfSSL debugging" + default n + help + Enable wolfSSL debugging. Once debugging is enabled sections of code between wolfSSL_Debugging_ON() and + wolfSSL_Debugging_OFF() will generate detailed debug messages. + endmenu # wolfSSL From 02c90e2e6eeb05750a5a890b6310d2dfa8bc5834 Mon Sep 17 00:00:00 2001 From: Frank Mertens Date: Fri, 6 Sep 2024 11:41:41 +0200 Subject: [PATCH 09/11] Added a Kconfig option to enable/disable TLS 1.3 --- Kconfig | 6 ++++++ port/user_settings.h | 9 +++++++-- 2 files changed, 13 insertions(+), 2 deletions(-) diff --git a/Kconfig b/Kconfig index a59c335..dde371c 100644 --- a/Kconfig +++ b/Kconfig @@ -23,6 +23,12 @@ menu "wolfSSL" Note: This option enables mandatory OCSP certificate status checking using OCSP stapling version 1 or 2. The TLS server the client is connecting to must support either of the two TLS extensions. + config WOLFSSL_HAVE_TLS_13 + bool "Enable TLS 1.3 in wolfSSL" + default n + help + Enable support for TLS version 1.3 in wolfSSL. + config WOLFSSL_DEBUGGING bool "Enable wolfSSL debugging" default n diff --git a/port/user_settings.h b/port/user_settings.h index c969a93..c1e23dc 100755 --- a/port/user_settings.h +++ b/port/user_settings.h @@ -284,7 +284,10 @@ /* #define NO_OLD_TLS */ /* TLS 1.3 */ -// #define WOLFSSL_TLS13 +#ifdef CONFIG_WOLFSSL_HAVE_TLS_13 +#define WOLFSSL_TLS13 +#endif + #define HAVE_TLS_EXTENSIONS #define WC_RSA_PSS #define HAVE_HKDF @@ -842,7 +845,9 @@ Turn on timer debugging (used when CPU cycles not available) #ifdef CONFIG_WOLFSSL_HAVE_OCSP #define HAVE_OCSP #define HAVE_CERTIFICATE_STATUS_REQUEST - #define HAVE_CERTIFICATE_STATUS_REQUEST_V2 + #ifndef CONFIG_WOLFSSL_HAVE_TLS_13 + #define HAVE_CERTIFICATE_STATUS_REQUEST_V2 + #endif #include #include #endif From 9c8ae3c929b08b7faed9a97e26ead7268a9c06e5 Mon Sep 17 00:00:00 2001 From: Frank Mertens Date: Mon, 16 Sep 2024 00:53:46 +0200 Subject: [PATCH 10/11] Added option to disable RSA --- Kconfig | 19 +++++++++++++++ examples/wolfssl_benchmark/sdkconfig.defaults | 3 +++ examples/wolfssl_test/sdkconfig.defaults | 2 ++ port/user_settings.h | 24 ++++++++++--------- 4 files changed, 37 insertions(+), 11 deletions(-) diff --git a/Kconfig b/Kconfig index dde371c..e66596d 100644 --- a/Kconfig +++ b/Kconfig @@ -29,6 +29,12 @@ menu "wolfSSL" help Enable support for TLS version 1.3 in wolfSSL. + config WOLFSSL_HAVE_RSA + bool "Enable RSA in wolfSSL" + default "y" + help + Enables support for key exchange algorithms based on RSA. + config WOLFSSL_DEBUGGING bool "Enable wolfSSL debugging" default n @@ -36,4 +42,17 @@ menu "wolfSSL" Enable wolfSSL debugging. Once debugging is enabled sections of code between wolfSSL_Debugging_ON() and wolfSSL_Debugging_OFF() will generate detailed debug messages. + config CONFIG_WOLFSSL_HAVE_CRYPT_BENCHMARK + bool "Enable wolfSSL benchmark module" + default n + help + Enable wolfSSL cryptography benchmark. + + config CONFIG_WOLFSSL_HAVE_CRYPT_TEST + bool "Enable wolfSSL test mobule" + default n + help + Enable wolfSSL cryptography benchmark. + + endmenu # wolfSSL diff --git a/examples/wolfssl_benchmark/sdkconfig.defaults b/examples/wolfssl_benchmark/sdkconfig.defaults index e7f3037..cfb470f 100644 --- a/examples/wolfssl_benchmark/sdkconfig.defaults +++ b/examples/wolfssl_benchmark/sdkconfig.defaults @@ -95,3 +95,6 @@ CONFIG_PARTITION_TABLE_FILENAME="partitions_singleapp_large.csv" CONFIG_PARTITION_TABLE_OFFSET=0x8000 CONFIG_PARTITION_TABLE_MD5=y # end of Partition Table + + +CONFIG_WOLFSSL_HAVE_CRYPT_BENCHMARK=y diff --git a/examples/wolfssl_test/sdkconfig.defaults b/examples/wolfssl_test/sdkconfig.defaults index 2a5ad75..99d29ce 100644 --- a/examples/wolfssl_test/sdkconfig.defaults +++ b/examples/wolfssl_test/sdkconfig.defaults @@ -96,3 +96,5 @@ CONFIG_PARTITION_TABLE_FILENAME="partitions_singleapp_large.csv" CONFIG_PARTITION_TABLE_OFFSET=0x8000 CONFIG_PARTITION_TABLE_MD5=y # end of Partition Table + +CONFIG_WOLFSSL_HAVE_CRYPT_TEST=y diff --git a/port/user_settings.h b/port/user_settings.h index c1e23dc..45d7d2c 100755 --- a/port/user_settings.h +++ b/port/user_settings.h @@ -141,11 +141,7 @@ /* Full debugging turned off, but show malloc failure detail */ /* #define DEBUG_WOLFSSL */ -#define DEBUG_WOLFSSL_MALLOC - -/* See test.c that sets cert buffers; we'll set them here: */ -#define USE_CERT_BUFFERS_256 -#define USE_CERT_BUFFERS_2048 +// #define DEBUG_WOLFSSL_MALLOC /* RSA_LOW_MEM: Half as much memory but twice as slow. */ #define RSA_LOW_MEM @@ -288,6 +284,18 @@ #define WOLFSSL_TLS13 #endif +#ifndef CONFIG_WOLFSSL_HAVE_RSA +#define NO_RSA +#endif + +#ifndef CONFIG_WOLFSSL_HAVE_CRYPT_TEST +#define NO_CRYPT_TEST +#endif + +#ifndef CONFIG_WOLFSSL_HAVE_CRYPT_BENCHMARK +#define NO_CRYPT_BENCHMARK +#endif + #define HAVE_TLS_EXTENSIONS #define WC_RSA_PSS #define HAVE_HKDF @@ -885,9 +893,3 @@ Turn on timer debugging (used when CPU cycles not available) /** Use reduced benchmark / test sizes */ #define BENCH_EMBEDDED - -/** Compile-fix - */ -#if !defined(SINGLE_THREADED) - #include -#endif From 18bc296129e33d2581294bd0f3b77c65d7dcf98c Mon Sep 17 00:00:00 2001 From: Frank Mertens Date: Tue, 17 Sep 2024 20:53:13 +0200 Subject: [PATCH 11/11] Build fix for when building without the following combination: no OCSP, no TLS13 and no SINGLE_THREADED --- port/user_settings.h | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/port/user_settings.h b/port/user_settings.h index 45d7d2c..44fecd7 100755 --- a/port/user_settings.h +++ b/port/user_settings.h @@ -858,6 +858,10 @@ Turn on timer debugging (used when CPU cycles not available) #endif #include #include +#else + #if !defined(SINGLE_THREADED) + #include + #endif #endif /** Enable PKCS7 certificate parser with BER support