build-wolfssl: Allow a broader range of ciphers (Visual Studio) (27c99a37) · Commits · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP curl

projects/wolfssl_options.h

+67 −26

Original line number	Diff line number	Diff line
		@@ -5,27 +5,42 @@ To remedy this issue for libcurl I've generated this options file that
		build-wolfssl will copy to the wolfSSL include directories and will result in
		maximum compatibility.

		These configure flags were used in MinGW to generate the options in this file:

		--enable-opensslextra
		--enable-aesgcm
		--enable-ripemd
		--enable-sha512
		--enable-dh
		--enable-dsa
		--enable-ecc
		--enable-sni
		--enable-fastmath
		--enable-sessioncerts
		--enable-certgen
		--enable-testcert
		--enable-alpn
		C_EXTRA_FLAGS="-DFP_MAX_BITS=16384 -DTFM_TIMING_RESISTANT"
		These are the configure options that were used to build wolfSSL v3.9.0 in mingw
		and generate the options in this file:

		C_EXTRA_FLAGS="\
		-Wno-attributes \
		-Wno-unused-but-set-variable \
		-DFP_MAX_BITS=16384 \
		-DTFM_TIMING_RESISTANT \
		-DWOLFSSL_STATIC_DH \
		-DWOLFSSL_STATIC_RSA \
		" \
		./configure --prefix=/usr/local \
		--enable-aesgcm \
		--enable-alpn \
		--enable-certgen \
		--enable-dh \
		--enable-dsa \
		--enable-ecc \
		--enable-fastmath \
		--enable-opensslextra \
		--enable-ripemd \
		--enable-sessioncerts \
		--enable-sha512 \
		--enable-sni \
		--enable-sslv3 \
		--enable-testcert \
		> config.out 2>&1

		Two generated options HAVE_THREAD_LS and _POSIX_THREADS were removed since they
		are inapplicable for our Visual Studio build.
		are inapplicable for our Visual Studio build. Currently thread local storage is
		only used by the Fixed Point cache ECC which we're not enabling. However even
		if we later may decide to enable the cache it will fallback on mutexes when
		thread local storage is not available. wolfSSL is using __declspec(thread) to
		create the thread local storage and that could be a problem for LoadLibrary.

		Regarding the two options that were added via C_EXTRA_FLAGS:
		Regarding the options that were added via C_EXTRA_FLAGS:

		FP_MAX_BITS=16384
		http://www.yassl.com/forums/topic423-cacertorgs-ca-cert-verify-failed-but-withdisablefastmath-it-works.html
		@@ -38,6 +53,11 @@ https://wolfssl.com/wolfSSL/Docs-wolfssl-manual-2-building-wolfssl.html
		From section 2.4.5 Increasing Performance, USE_FAST_MATH:
		"Because the stack memory usage can be larger when using fastmath, we recommend
		defining TFM_TIMING_RESISTANT as well when using this option."

		WOLFSSL_STATIC_DH: Allow TLS_ECDH_ ciphers
		WOLFSSL_STATIC_RSA: Allow TLS_RSA_ ciphers
		https://github.com/wolfSSL/wolfssl/blob/v3.6.6/README.md#note-1
		Static key cipher suites are deprecated and disabled by default since v3.6.6.
		*/

		/* wolfssl options.h
		@@ -49,7 +69,9 @@ defining TFM_TIMING_RESISTANT as well when using this option."
		*
		*/

		#pragma once
		#ifndef WOLFSSL_OPTIONS_H
		#define WOLFSSL_OPTIONS_H


		#ifdef __cplusplus
		extern "C" {
		@@ -61,6 +83,12 @@ extern "C" {
		#undef TFM_TIMING_RESISTANT
		#define TFM_TIMING_RESISTANT

		#undef WOLFSSL_STATIC_DH
		#define WOLFSSL_STATIC_DH

		#undef WOLFSSL_STATIC_RSA
		#define WOLFSSL_STATIC_RSA

		#undef OPENSSL_EXTRA
		#define OPENSSL_EXTRA

		@@ -91,15 +119,12 @@ extern "C" {
		#undef ECC_SHAMIR
		#define ECC_SHAMIR

		#undef NO_PSK
		#define NO_PSK
		#undef WOLFSSL_ALLOW_SSLV3
		#define WOLFSSL_ALLOW_SSLV3

		#undef NO_RC4
		#define NO_RC4

		#undef NO_MD4
		#define NO_MD4

		#undef NO_HC128
		#define NO_HC128

		@@ -124,16 +149,32 @@ extern "C" {
		#undef HAVE_SNI
		#define HAVE_SNI

		#undef HAVE_TLS_EXTENSIONS
		#define HAVE_TLS_EXTENSIONS

		#undef HAVE_ALPN
		#define HAVE_ALPN

		#undef HAVE_TLS_EXTENSIONS
		#define HAVE_TLS_EXTENSIONS

		#undef WOLFSSL_TEST_CERT
		#define WOLFSSL_TEST_CERT

		#undef NO_PSK
		#define NO_PSK

		#undef NO_MD4
		#define NO_MD4

		#undef USE_FAST_MATH
		#define USE_FAST_MATH

		#undef HAVE_ALPN
		#define HAVE_ALPN

		#ifdef __cplusplus
		}
		#endif


		#endif /* WOLFSSL_OPTIONS_H */