Skip to content

Commit

Permalink
Merge pull request #6371 from dgarske/lowres
Browse files Browse the repository at this point in the history
Fixes and improvements for building with low footprint
  • Loading branch information
jpbland1 authored May 3, 2023
2 parents 714ec82 + 4b90afa commit 6369b1e
Show file tree
Hide file tree
Showing 9 changed files with 252 additions and 114 deletions.
1 change: 0 additions & 1 deletion IDE/NETOS/user_settings.h
Original file line number Diff line number Diff line change
Expand Up @@ -458,7 +458,6 @@ extern "C" {
/* RNG */
/* ------------------------------------------------------------------------- */

/* Seed Source */
/* Seed Source */
#if 1
extern int my_rng_generate_seed(unsigned char* output, int sz);
Expand Down
9 changes: 6 additions & 3 deletions configure.ac
Original file line number Diff line number Diff line change
Expand Up @@ -1849,10 +1849,13 @@ AC_ARG_ENABLE([lowresource],
if test "$ENABLED_LOWRESOURCE" = "yes"
then
# low memory / flash flags
AM_CFLAGS="$AM_CFLAGS -DNO_SESSION_CACHE -DRSA_LOW_MEM -DGCM_SMALL -DCURVE25519_SMALL -DED25519_SMALL -DWOLFSSL_SMALL_CERT_VERIFY -DWOLFSSL_NO_ASYNC_IO"
AM_CFLAGS="$AM_CFLAGS -DNO_SESSION_CACHE -DRSA_LOW_MEM -DCURVE25519_SMALL -DED25519_SMALL -DWOLFSSL_SMALL_CERT_VERIFY -DWOLFSSL_NO_ASYNC_IO"

# low flash flags
AM_CFLAGS="$AM_CFLAGS -DUSE_SLOW_SHA -DUSE_SLOW_SHA256 -DUSE_SLOW_SHA512"

# AES small
AM_CFLAGS="$AM_CFLAGS -DGCM_SMALL -DWOLFSSL_AES_NO_UNROLL -DWOLFSSL_AES_SMALL_TABLES"
fi


Expand Down Expand Up @@ -3998,7 +4001,7 @@ else
fi

if test "$ENABLED_RSA" = "yes" && test "$ENABLED_RSAVFY" = "no" && \
test "$ENABLED_ASN" = "no"
test "$ENABLED_ASN" = "no" && test "$ENABLED_LOWRESOURCE" = "no"
then
AC_MSG_ERROR([please disable rsa if disabling asn.])
fi
Expand Down Expand Up @@ -8465,7 +8468,7 @@ AM_CONDITIONAL([BUILD_SAKKE],[test "x$ENABLED_SAKKE" = "xyes" || test "x$ENABLED
AM_CONDITIONAL([BUILD_MEMORY],[test "x$ENABLED_MEMORY" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
AM_CONDITIONAL([BUILD_RSA],[test "x$ENABLED_RSA" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
AM_CONDITIONAL([BUILD_DH],[test "x$ENABLED_DH" != "xno" || test "x$ENABLED_USERSETTINGS" = "xyes"])
AM_CONDITIONAL([BUILD_ASN],[test "x$ENABLED_ASN" != "xno" || test "x$ENABLED_USERSETTINGS" = "xyes"])
AM_CONDITIONAL([BUILD_ASN],[test "x$ENABLED_ASN" != "xno" || test "x$ENABLED_RSA" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
AM_CONDITIONAL([BUILD_AES],[test "x$ENABLED_AES" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
AM_CONDITIONAL([BUILD_CODING],[test "x$ENABLED_CODING" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
AM_CONDITIONAL([BUILD_RC4],[test "x$ENABLED_ARC4" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
Expand Down
176 changes: 135 additions & 41 deletions examples/configs/user_settings_wolftpm.h
Original file line number Diff line number Diff line change
Expand Up @@ -20,16 +20,44 @@
*/


/* should be renamed to user_settings.h for customer use
* generated from configure and wolfssl/options.h using:
* ./configure --enable-wolftpm --disable-dh --disable-oldtls \
* --disable-sha3 --disable-sha512 --disable-sha384 --disable-sha224 \
* --disable-pkcs12 --disable-chacha --disable-poly1305 \
* --disable-sys-ca-certs --disable-examples
*
* Cleaned up by David Garske
/* To use the rename file to user_settings.h and define WOLFSSL_USER_SETTINGS */

/* Test using:
cp ./examples/configs/user_settings_wolftpm.h user_settings.h
./configure --enable-usersettings --disable-examples CFLAGS="-Os"
make
*/

/* Options generated from configure and wolfssl/options.h using:
./configure --enable-wolftpm --disable-dh --disable-oldtls \
--disable-sha3 --disable-sha512 --disable-sha384 --disable-sha224 \
--disable-pkcs12 --disable-chacha --disable-poly1305 \
--disable-sys-ca-certs --disable-examples
*/

/* Options for USE_LOW_RESOURCE generated with configure and wolfssl/options.h
* using:
./configure --enable-lowresource --enable-cryptonly --enable-aescfb \
--enable-hmac --enable-cryptocb --enable-singlethreaded \
--enable-sp=smallrsa2048 --enable-sp-math --disable-sp-asm \
--disable-filesystem --disable-asm --disable-pkcs8 --disable-pkcs12 \
--disable-ecc --disable-dh \
--disable-sha224 --disable-sha384 --disable-sha512 \
--disable-md5 --disable-sha3 \
--disable-aescbc --disable-aesgcm --disable-aesccm \
--disable-poly1305 --disable-chacha \
--disable-hashdrbg \
--disable-sys-ca-certs --disable-error-queue-per-thread \
--disable-oldtls --disable-errorstrings --disable-memory --disable-coding \
--disable-examples --disable-optflags \
CFLAGS="-Os -DNO_SIG_WRAPPER -DNO_AES_192 -DNO_AES_256 \
-DWOLFSSL_RSA_PUBLIC_ONLY -DWOLFSSL_RSA_VERIFY_INLINE -DNO_CHECK_PRIVATE_KEY"
*/

/* For the wolfTPM build:
./configure --enable-swtpm CFLAGS="-Os" && make
*/


#ifndef WOLF_USER_SETTINGS_TPM_H
#define WOLF_USER_SETTINGS_TPM_H
Expand All @@ -38,7 +66,15 @@
extern "C" {
#endif

#if 1
/* enable for low resource options */
#if 0
#define USE_LOW_RESOURCE
#endif

#ifdef USE_LOW_RESOURCE
/* wolfCrypt only (no SSL/TLS) */
#define WOLFCRYPT_ONLY
#else
/* wolfTPM with TLS example (v1.3 only) */
#define WOLFSSL_TLS13
#define WOLFSSL_NO_TLS12
Expand All @@ -52,78 +88,136 @@ extern "C" {
#define HAVE_HKDF
#define WC_RSA_PSS
#define WOLFSSL_PSS_LONG_SALT
#else
/* wolfCrypt only (no SSL/TLS) */
#define WOLFCRYPT_ONLY
#endif

/* No threading or file system */
#define SINGLE_THREADED
/* File system disable */
#if 0
#define NO_FILESYSTEM
#endif

/* Enable crypto callbacks */
#define WOLF_CRYPTO_CB

/* Enable PRNG (SHA2-256) */
#define HAVE_HASHDRBG

/* Enable SP math all (sp_int.c) with multi-precision support */
#define WOLFSSL_SP_MATH_ALL
#ifdef USE_LOW_RESOURCE
/* Single Precision math for RSA 2048 only (small) */
#define WOLFSSL_HAVE_SP_RSA
#define WOLFSSL_SP_MATH
#define WOLFSSL_SP_SMALL
#define WOLFSSL_SP_NO_3072 /* 2048-only */
#else
/* Enable SP math all (sp_int.c) with multi-precision support */
#define WOLFSSL_SP_MATH_ALL
#endif

/* Enable hardening (timing resistance) */
#define TFM_TIMING_RESISTANT
#define ECC_TIMING_RESISTANT
#define WC_RSA_BLINDING

/* Enable PRNG (SHA2-256) */
#ifdef USE_LOW_RESOURCE
/* use TPM TRNG */
#define WC_NO_HASHDRBG
#else
#define HAVE_HASHDRBG
#endif

/* Asymmetric */
#define HAVE_ECC
#undef NO_RSA
#define NO_DH
#ifndef NO_DH
#if 1 /* RSA - needed to encrypt salt */
#undef NO_RSA
#ifdef USE_LOW_RESOURCE
#define WOLFSSL_RSA_PUBLIC_ONLY
#define WOLFSSL_RSA_VERIFY_INLINE
#define NO_CHECK_PRIVATE_KEY
#endif
#else
#define NO_RSA
#endif
#ifndef USE_LOW_RESOURCE /* ECC */
#define HAVE_ECC
#define ECC_USER_CURVES /* default to only SECP256R1 */
#endif
#ifndef USE_LOW_RESOURCE /* DH */
#undef NO_DH
#define HAVE_FFDHE_2048
#define HAVE_DH_DEFAULT_PARAMS
#else
#define NO_DH
#endif

/* Symmetric Hash */
#undef NO_SHA
#undef NO_SHA256
#define WOLFSSL_SHA512
#define WOLFSSL_SHA384
#ifndef USE_LOW_RESOURCE
#define WOLFSSL_SHA512
#define WOLFSSL_SHA384
#endif

/* Symmetric Cipher */
#define HAVE_AES_KEYWRAP
#define WOLFSSL_AES_DIRECT
#define WOLFSSL_AES_CFB
#define HAVE_AESGCM
#define GCM_TABLE_4BIT
#define HAVE_AES_DECRYPT
#ifndef USE_LOW_RESOURCE
#define HAVE_AES_KEYWRAP
#define WOLFSSL_AES_DIRECT
#define HAVE_AESGCM
#define GCM_TABLE_4BIT
#else
#define NO_AES_CBC
#endif

#if 0
#if 0 /* ChaCha20 / Poly1305 */
#define HAVE_POLY1305
#define HAVE_CHACHA
#endif

/* Features */
#define WOLFSSL_CERT_GEN
#define WOLFSSL_CERT_REQ
#define WOLFSSL_CERT_EXT

#define HAVE_PKCS7
#define HAVE_X963_KDF
#define WOLFSSL_BASE64_ENCODE

#define WOLFSSL_ASN_TEMPLATE
#define WOLFSSL_USER_IO /* user recv/send callbacks for network IO */
#ifndef USE_LOW_RESOURCE
#define WOLFSSL_CERT_GEN
#define WOLFSSL_CERT_REQ
#define WOLFSSL_CERT_EXT

#define HAVE_PKCS7
#define HAVE_X963_KDF
#define WOLFSSL_BASE64_ENCODE
#endif

/* Disables */
#define NO_PKCS8
#define NO_PKCS12
#define NO_PWDBASED
#define NO_DSA
#define NO_DES3
#define NO_RC4
#define NO_PSK
#define NO_MD4
#define NO_MD5
#define WOLFSSL_NO_SHAKE128
#define WOLFSSL_NO_SHAKE256

#define NO_WRITEV

/* Low Resource Options */
#ifdef USE_LOW_RESOURCE
#define NO_FILESYSTEM /* File system disable */
#define NO_ERROR_STRINGS
#define WOLFSSL_NO_ASM
#define TFM_NO_ASM
#define NO_WOLFSSL_MEMORY
#define NO_SESSION_CACHE
#define RSA_LOW_MEM
#define WOLFSSL_AES_SMALL_TABLES
#define WOLFSSL_AES_NO_UNROLL
#define GCM_SMALL
#undef GCM_TABLE_4BIT
#define NO_AES_192
#define NO_AES_256
#define USE_SLOW_SHA
#define USE_SLOW_SHA256
#define USE_SLOW_SHA512
#define NO_SIG_WRAPPER
#define NO_ASN_TIME
#define NO_CODING
#define NO_BIG_INT
#endif

#ifdef __cplusplus
}
Expand Down
4 changes: 2 additions & 2 deletions wolfcrypt/benchmark/benchmark.c
Original file line number Diff line number Diff line change
Expand Up @@ -6516,7 +6516,7 @@ static void bench_rsa_helper(int useDeviceID, RsaKey rsaKey[BENCH_MAX_PENDING],
BENCH_ASYNC_GET_DEV(&rsaKey[i]),
1, &times, ntimes, &pending)) {
ret = wc_RsaSSL_Sign(message, len, enc[i],
rsaKeySz/8, &rsaKey[i], &gRng);
rsaKeySz/8, &rsaKey[i], GLOBAL_RNG);
if (!bench_async_handle(&ret,
BENCH_ASYNC_GET_DEV(&rsaKey[i]),
1, &times, &pending)) {
Expand Down Expand Up @@ -7371,7 +7371,7 @@ void bench_ecc(int useDeviceID, int curveId)
}

ret = wc_ecc_sign_hash(digest[i], (word32)keySize, sig[i],
&x[i], &gRng, &genKey[i]);
&x[i], GLOBAL_RNG, &genKey[i]);

if (!bench_async_handle(&ret,
BENCH_ASYNC_GET_DEV(&genKey[i]), 1, &times,
Expand Down
Loading

0 comments on commit 6369b1e

Please sign in to comment.