1 /***************************************************************************
2  *                                  _   _ ____  _
3  *  Project                     ___| | | |  _ \| |
4  *                             / __| | | | |_) | |
5  *                            | (__| |_| |  _ <| |___
6  *                             \___|\___/|_| \_\_____|
7  *
8  * Copyright (C) 1998 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al.
9  *
10  * This software is licensed as described in the file COPYING, which
11  * you should have received as part of this distribution. The terms
12  * are also available at https://curl.haxx.se/docs/copyright.html.
13  *
14  * You may opt to use, copy, modify, merge, publish, distribute and/or sell
15  * copies of the Software, and permit persons to whom the Software is
16  * furnished to do so, under the terms of the COPYING file.
17  *
18  * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
19  * KIND, either express or implied.
20  *
21  ***************************************************************************/
22 /*
23 By default wolfSSL has a very conservative configuration that can result in
24 connections to servers failing due to certificate or algorithm problems.
25 To remedy this issue for libcurl I've generated this options file that
26 build-wolfssl will copy to the wolfSSL include directories and will result in
27 maximum compatibility.
28 
29 These are the configure options that were used to build wolfSSL v3.11.0 in
30 mingw and generate the options in this file:
31 
32 C_EXTRA_FLAGS="\
33   -Wno-attributes \
34   -Wno-unused-but-set-variable \
35   -DFP_MAX_BITS=16384 \
36   -DTFM_TIMING_RESISTANT \
37   -DWOLFSSL_STATIC_DH \
38   -DWOLFSSL_STATIC_RSA \
39   " \
40 ./configure --prefix=/usr/local \
41   --disable-jobserver \
42   --enable-aesgcm \
43   --enable-alpn \
44   --enable-certgen \
45   --enable-des3 \
46   --enable-dh \
47   --enable-dsa \
48   --enable-ecc \
49   --enable-eccshamir \
50   --enable-fastmath \
51   --enable-opensslextra \
52   --enable-ripemd \
53   --enable-sessioncerts \
54   --enable-sha512 \
55   --enable-sni \
56   --enable-sslv3 \
57   --enable-supportedcurves \
58   --enable-testcert \
59   > config.out 2>&1
60 
61 Two generated options HAVE_THREAD_LS and _POSIX_THREADS were removed since they
62 are inapplicable for our Visual Studio build. Currently thread local storage is
63 only used by the Fixed Point cache ECC which we're not enabling. However even
64 if we later may decide to enable the cache it will fallback on mutexes when
65 thread local storage is not available. wolfSSL is using __declspec(thread) to
66 create the thread local storage and that could be a problem for LoadLibrary.
67 
68 Regarding the options that were added via C_EXTRA_FLAGS:
69 
70 FP_MAX_BITS=16384
71 https://www.yassl.com/forums/topic423-cacertorgs-ca-cert-verify-failed-but-withdisablefastmath-it-works.html
72 "Since root.crt uses a 4096-bit RSA key, you'll need to increase the fastmath
73 buffer size.  You can do this using the define:
74 FP_MAX_BITS and setting it to 8192."
75 
76 TFM_TIMING_RESISTANT
77 https://wolfssl.com/wolfSSL/Docs-wolfssl-manual-2-building-wolfssl.html
78 From section 2.4.5 Increasing Performance, USE_FAST_MATH:
79 "Because the stack memory usage can be larger when using fastmath, we recommend
80 defining TFM_TIMING_RESISTANT as well when using this option."
81 
82 WOLFSSL_STATIC_DH:    Allow TLS_ECDH_ ciphers
83 WOLFSSL_STATIC_RSA:   Allow TLS_RSA_ ciphers
84 https://github.com/wolfSSL/wolfssl/blob/v3.6.6/README.md#note-1
85 Static key cipher suites are deprecated and disabled by default since v3.6.6.
86 */
87 
88 /* wolfssl options.h
89  * generated from configure options
90  *
91  * Copyright (C) 2006-2015 wolfSSL Inc.
92  *
93  * This file is part of wolfSSL. (formerly known as CyaSSL)
94  *
95  */
96 
97 #ifndef WOLFSSL_OPTIONS_H
98 #define WOLFSSL_OPTIONS_H
99 
100 
101 #ifdef __cplusplus
102 extern "C" {
103 #endif
104 
105 #undef  FP_MAX_BITS
106 #define FP_MAX_BITS 16384
107 
108 #undef  TFM_TIMING_RESISTANT
109 #define TFM_TIMING_RESISTANT
110 
111 #undef  WOLFSSL_STATIC_DH
112 #define WOLFSSL_STATIC_DH
113 
114 #undef  WOLFSSL_STATIC_RSA
115 #define WOLFSSL_STATIC_RSA
116 
117 #undef  OPENSSL_EXTRA
118 #define OPENSSL_EXTRA
119 
120 /*
121 The commented out defines below are the equivalent of --enable-tls13.
122 Uncomment them to build wolfSSL with TLS 1.3 support as of v3.11.1-tls13-beta.
123 This is for experimenting only, afaict TLS 1.3 support doesn't appear to be
124 functioning correctly yet. https://github.com/wolfSSL/wolfssl/pull/943
125 
126 #undef  WC_RSA_PSS
127 #define WC_RSA_PSS
128 
129 #undef  WOLFSSL_TLS13
130 #define WOLFSSL_TLS13
131 
132 #undef  HAVE_TLS_EXTENSIONS
133 #define HAVE_TLS_EXTENSIONS
134 
135 #undef  HAVE_FFDHE_2048
136 #define HAVE_FFDHE_2048
137 
138 #undef  HAVE_HKDF
139 #define HAVE_HKDF
140 */
141 
142 #undef  TFM_TIMING_RESISTANT
143 #define TFM_TIMING_RESISTANT
144 
145 #undef  ECC_TIMING_RESISTANT
146 #define ECC_TIMING_RESISTANT
147 
148 #undef  WC_RSA_BLINDING
149 #define WC_RSA_BLINDING
150 
151 #undef  HAVE_AESGCM
152 #define HAVE_AESGCM
153 
154 #undef  WOLFSSL_RIPEMD
155 #define WOLFSSL_RIPEMD
156 
157 #undef  WOLFSSL_SHA512
158 #define WOLFSSL_SHA512
159 
160 #undef  WOLFSSL_SHA384
161 #define WOLFSSL_SHA384
162 
163 #undef  SESSION_CERTS
164 #define SESSION_CERTS
165 
166 #undef  WOLFSSL_CERT_GEN
167 #define WOLFSSL_CERT_GEN
168 
169 #undef  HAVE_ECC
170 #define HAVE_ECC
171 
172 #undef  TFM_ECC256
173 #define TFM_ECC256
174 
175 #undef  ECC_SHAMIR
176 #define ECC_SHAMIR
177 
178 #undef  WOLFSSL_ALLOW_SSLV3
179 #define WOLFSSL_ALLOW_SSLV3
180 
181 #undef  NO_RC4
182 #define NO_RC4
183 
184 #undef  NO_HC128
185 #define NO_HC128
186 
187 #undef  NO_RABBIT
188 #define NO_RABBIT
189 
190 #undef  HAVE_POLY1305
191 #define HAVE_POLY1305
192 
193 #undef  HAVE_ONE_TIME_AUTH
194 #define HAVE_ONE_TIME_AUTH
195 
196 #undef  HAVE_CHACHA
197 #define HAVE_CHACHA
198 
199 #undef  HAVE_HASHDRBG
200 #define HAVE_HASHDRBG
201 
202 #undef  HAVE_TLS_EXTENSIONS
203 #define HAVE_TLS_EXTENSIONS
204 
205 #undef  HAVE_SNI
206 #define HAVE_SNI
207 
208 #undef  HAVE_TLS_EXTENSIONS
209 #define HAVE_TLS_EXTENSIONS
210 
211 #undef  HAVE_ALPN
212 #define HAVE_ALPN
213 
214 #undef  HAVE_TLS_EXTENSIONS
215 #define HAVE_TLS_EXTENSIONS
216 
217 #undef  HAVE_SUPPORTED_CURVES
218 #define HAVE_SUPPORTED_CURVES
219 
220 #undef  HAVE_EXTENDED_MASTER
221 #define HAVE_EXTENDED_MASTER
222 
223 #undef  WOLFSSL_TEST_CERT
224 #define WOLFSSL_TEST_CERT
225 
226 #undef  NO_PSK
227 #define NO_PSK
228 
229 #undef  NO_MD4
230 #define NO_MD4
231 
232 #undef  USE_FAST_MATH
233 #define USE_FAST_MATH
234 
235 #undef  WC_NO_ASYNC_THREADING
236 #define WC_NO_ASYNC_THREADING
237 
238 
239 #ifdef __cplusplus
240 }
241 #endif
242 
243 
244 #endif /* WOLFSSL_OPTIONS_H */
245