|
SharkSSL™ Embedded SSL/TLS Stack
|
Add/remove SharkSSL features and/or optimize for speed versus size.
more stuff here. Fixme.
Modules | |
| HASH algorithms | |
Macros | |
| #define | SHARKSSL_TLS_1_3 1 |
| TLS 1.3 stack Disable by setting SHARKSSL_TLS_1_3=0. | |
| #define | SHARKSSL_TLS_1_2 1 |
| TLS 1.2 stack Disable by setting SHARKSSL_TLS_1_2=0. | |
| #define | SHARKSSL_USE_AES_256 1 |
| Enable/disable AES 256. | |
| #define | SHARKSSL_USE_AES_128 1 |
| Enable/disable AES 128. | |
| #define | SHARKSSL_USE_AES_192 0 |
| AES-192 is not used in SSL/TLS enable only if needed in application using the crypto API. | |
| #define | SHARKSSL_ENABLE_AES_GCM 1 |
| AES-GCM require AES: relevant ciphersuites are included. | |
| #define | SHARKSSL_ENABLE_AES_CCM 0 |
| AES-CCM require AES: only for crypto functions - CCM TLS ciphersuites removed. | |
| #define | SHARKSSL_ENABLE_AES_CBC 0 |
| AES-CBC require AES: CBC TLS ciphersuites removed for crypto functions and PEM certificate decryption. | |
| #define | SHARKSSL_USE_CHACHA20 1 |
| Enable/disable CHACHA20 support and also include CHACHA20-POLY1305 ciphersuites when TLS1.2 and POLY1305 are enabled (SHARKSSL_USE_POLY1305) | |
| #define | SHARKSSL_SSL_SERVER_CODE 1 |
| Select 1 to enable SERVER side TLS. | |
| #define | SHARKSSL_ENABLE_CLIENT_AUTH 1 |
| Select 1 to enable client authentication from server. | |
| #define | SHARKSSL_SSL_CLIENT_CODE 1 |
| Select 1 to enable CLIENT side TLS. | |
| #define | SHARKSSL_RANDOMIZE_EXTENSIONS 1 |
| Select 1 to randomize the order of extensions in ClientHello | |
| #define | SHARKSSL_ENABLE_SNI 1 |
| Select 1 to enable support for Server Name Indication. | |
| #define | SHARKSSL_ENABLE_CA_EXTENSION 1 |
| Select 1 to enable support for Certificate Authorities extension (RFC 8446 section 4.2.4) Note: SHARKSSL_TLS_1_3 must be enabled. | |
| #define | SHARKSSL_ENABLE_RSA 1 |
| Select 0 to disable RSA ciphersuites. | |
| #define | SHARKSSL_ENABLE_SESSION_CACHE 1 |
| Select 1 to enable session caching. | |
| #define | SHARKSSL_ENABLE_SECURE_RENEGOTIATION SHARKSSL_TLS_1_2 |
| Select 1 to enable renegotiation Only secure renegotiation (RFC 5746) is supported Note: with the default define below, it is enabled whenever TLS 1.2 is NOTE: IMPLEMENTED ONLY ON THE SERVER SIDE. | |
| #define | SHARKSSL_ENABLE_DHE_RSA SHARKSSL_TLS_1_2 |
| Select 1 to enable DHE_RSA ciphersuites Note: with the default define below, it is enabled whenever TLS 1.2 is. | |
| #define | SHARKSSL_ENABLE_SELECT_CIPHERSUITE 1 |
| Enable/disable the SharkSslCon_selectCiphersuite API. | |
| #define | SHARKSSL_SELECT_CIPHERSUITE_LIST_DEPTH 8 |
| Determine the number of ciphersuites that can be selected, in decreasing order of preference; this value is only in effect if the SHARKSSL_ENABLE_SELECT_CIPHERSUITE is selected. | |
| #define | SHARKSSL_ENABLE_ALPN_EXTENSION 1 |
| Enable/disable ALPN API (support for ALPN extension, RFC 7301) | |
| #define | SHARKSSL_ENABLE_RSA_API 1 |
| Enable/disable RSA API (sharkssl_RSA_public_encrypt, sharkssl_RSA_private_decrypt, sharkssl_RSA_private_encrypt, sharkssl_RSA_public_decrypt, SharkSslRSAKey_size) | |
| #define | SHARKSSL_ENABLE_RSA_PKCS1 1 |
| Enable/disable PKCS1 padding in RSA API (SHARKSSL_ENABLE_RSA_API must be enabled) note: always enabled when SSL client or server enabled. | |
| #define | SHARKSSL_ENABLE_RSASSA_PSS SHARKSSL_TLS_1_3 |
| Enable/disable RSASSA-PSS padding in RSA API (RFC 8017) (SHARKSSL_ENABLE_RSA_API must be enabled) note: with the default define below, it is enabled whenever TLS 1.3 is. | |
| #define | SHARKSSL_ENABLE_RSA_OAEP 0 |
| Enable/disable OAEP padding in RSA API (SHARKSSL_ENABLE_RSA_API must be enabled) | |
| #define | SHARKSSL_ENABLE_ECDSA_API 1 |
| Enable/disable ECDSA API (sharkssl_ECDSA_sign, sharkssl_ECDSA_verify, SharkSslECDSA_siglen) | |
| #define | SHARKSSL_ECDSA_ONLY_VERIFY 0 |
| Disable ECDSA sign API functions (sharkssl_ECDSA_sign, SharkSslECDSA_siglen) - effective only if ECDSA API is compiled (SHARKSSL_ENABLE_ECDSA_API must be enabled) and no SSL/TLS library used (only RayCrypto); used to achieve minimum code size. | |
| #define | SHARKSSL_ENABLE_PEM_API 1 |
| Select 1 to enable PEM certs/keys decoding If RSA_API is enabled, then also the functions sharkssl_PEM_to_RSAKey and SharkSslRSAKey_free are available If ECDSA_API is enabled, then also the functions sharkssl_PEM_to_ECCKey and SharkSslECCKey_free are available. | |
| #define | SHARKSSL_ENABLE_INFO_API 1 |
| Enable/disable support for encrypted PKCS#8 certificates in sharkssl_PEM function (requires SHARKSSL_ENABLE_AES_CBC) More... | |
| #define | SHARKSSL_ENABLE_CERT_CHAIN 1 |
| Select 1 to enable certificate chain support. | |
| #define | SHARKSSL_ENABLE_CA_LIST 1 |
| Select 1 to enable CA check (client or server with client auth) | |
| #define | SHARKSSL_ENABLE_CERTSTORE_API 1 |
| Select 1 to enable certificate storage. | |
| #define | SHARKSSL_ENABLE_CERT_KEYUSAGE 0 |
| Automatic certificate cloning - always enabled. More... | |
| #define | SHARKSSL_MD5_SMALL_FOOTPRINT 0 |
| Select 1 (small ROM footprint, slow) or 0 (large, fast) More... | |
| #define | SHARKSSL_SHA256_SMALL_FOOTPRINT 0 |
| Select 1 for smaller, but slower SHA256. | |
| #define | SHARKSSL_BIGINT_EXP_SLIDING_WINDOW_K 4 |
| Select a window size between 1 (slower, less RAM) and 5. | |
| #define | SHARKSSL_BIGINT_MULT_LOOP_UNROLL 1 |
| Select 0 (slower, less ROM) or 1 (20% faster, more ROM) | |
| #define | SHARKSSL_ENABLE_AES_CTR_MODE 1 |
| Select 1 to include AES CTR mode (USE_AES_xxx must be enabled) | |
| #define | SHARKSSL_AES_CIPHER_LOOP_UNROLL 1 |
| Select 0 (35% less ROM) or 1 (10-15% faster) | |
| #define | SHARKSSL_UNALIGNED_ACCESS 0 |
| Select 1 if your architecture supports unaligned memory access (x86, ARM-Cortex-M3, ColdFire) | |
| #define | SHARKSSL_BIGINT_WORDSIZE 32 |
| Select 8, 16 or 32 according to your architecture. | |
| #define | SHARKSSL_USE_ECC 1 |
| Elliptic Curve Cryptography. | |
| #define | SHARKSSL_ENABLE_ECDSA 1 |
| Select 1 to enable generation and verification of elliptic curve digital signatures. | |
| #define | SHARKSSL_ECC_VERIFY_POINT 1 |
| Select 1 to verify that a point lies on a curve verification in function SharkSslECNISTCurve_setPoint -larger ROM (parameter B for each curve stored, more code) -slightly slower execution. | |
| #define | SHARKSSL_ENABLE_EDDSA 1 |
| Select 1 to enable generation and verification of Edwards elliptic curve digital signatures (RFC 8032) | |
| #define | SHARKSSL_ECC_TIMING_RESISTANT 1 |
| Enable timing resistant ECC algorithms DISABLE AT YOUR OWN RISK! | |
| #define | SHARKSSL_BIGINT_TIMING_RESISTANT 1 |
| Enable timing resistant big integer functions Enabled by default when the above is enabled DISABLE AT YOUR OWN RISK! More... | |
| #define | SHARKSSL_BIGINT_TIMING_RESISTANT 1 |
| Enable timing resistant big integer functions Enabled by default when the above is enabled DISABLE AT YOUR OWN RISK! More... | |
| #define | SHARKSSL_ECC_USE_SECP256R1 1 |
| Enable/disable the SECP256R1 curve. | |
| #define | SHARKSSL_ECC_USE_SECP384R1 1 |
| Enable/disable the SECP384R1 curve. | |
| #define | SHARKSSL_ECC_USE_SECP521R1 1 |
| Enable/disable the SECP521R1 curve. | |
| #define | SHARKSSL_ECC_USE_BRAINPOOLP256R1 1 |
| Enable/disable the brainpoolP256r1 curve (RFC 5639) | |
| #define | SHARKSSL_ECC_USE_BRAINPOOLP384R1 1 |
| Enable/disable the brainpoolP384r1 curve (RFC 5639) | |
| #define | SHARKSSL_ECC_USE_BRAINPOOLP512R1 1 |
| Enable/disable the brainpoolP512r1 curve (RFC 5639) | |
| #define | SHARKSSL_ECC_USE_CURVE25519 1 |
| Enable/disable the Curve25519 curve (RFC 7748) | |
| #define | SHARKSSL_ECC_USE_CURVE448 0 |
| Enable/disable the Curve448 curve (RFC 7748) | |
| #define | SHARKSSL_ENABLE_ECDHE_RSA 1 |
| Select 1 to enable ECDHE_RSA ciphersuites (RFC 4492) Elliptic Curve Cryptography (SHARKSSL_USE_ECC) must be enabled RSA (SHARKSSL_ENABLE_RSA) must be enabled. | |
| #define | SHARKSSL_ENABLE_ECDHE_ECDSA 1 |
| Select 1 to enable ECDHE_ECDSA ciphersuites (RFC 4492) Elliptic Curve Cryptography (SHARKSSL_USE_ECC) must be enabled SHARKSSL_ENABLE_ECDSA must be set. | |
| #define | SHARKSSL_OPTIMIZED_BIGINT_ASM 0 |
| Enabling big integer assembler library requires SharkSslBigInt_XX.s. | |
| #define | SHARKSSL_OPTIMIZED_CHACHA_ASM 0 |
| Enabling assembler optimized CHACHA requires SharkSslCrypto_XX.s. | |
| #define | SHARKSSL_OPTIMIZED_POLY1305_ASM 0 |
| Enabling assembler optimized POLY requires SharkSslCrypto_XX.s. | |
| #define | SHARKSSL_USE_RNG_TINYMT 0 |
| Setting this macro to 1 enables TINYMT32 and disables other RNG's Please notice that the TinyMT is not recommended for cryptographic applications The SharkSSL implementation passed anyway the bbattery_FIPS_140_2 test of TestU01 (http://simul.iro.umontreal.ca/testu01/tu01.html) http://simul.iro.umontreal.ca/testu01/tu01.html. | |
| #define | SHARKSSL_USE_RNG_FORTUNA 0 |
| Setting this macro to 1 enables Fortuna RNG's Suitable to cryptographic applications SHARKSSL_USE_RNG_TINYMT must be disabled AES 256 and SHA 256 must be enabled The SharkSSL implementation passed the bbattery_FIPS_140_2 test of TestU01 (http://simul.iro.umontreal.ca/testu01/tu01.html) | |
| #define | SHARKSSL_RNG_MULTITHREADED 1 |
| Setting this macro to 1 enables the usage of sharkssl_rng in a multithreaded environment. More... | |
| #define | SHARKSSL_NOPACK 0 |
| Do not pack option. | |
| #define | SHARKSSL_CHECK_DATE 0 |
| SharkSslCon_trusted also checks certificate expiration and returns SharkSslConTrust_CertCnDate if date(s) are within: timeFrom <= now and timeTo >= now This setting requires baGetUnixTime() returning the correct time. | |
| #define SHARKSSL_BIGINT_TIMING_RESISTANT 1 |
Enable timing resistant big integer functions Enabled by default when the above is enabled DISABLE AT YOUR OWN RISK!
sanity #defines — do not edit below this line!
| #define SHARKSSL_BIGINT_TIMING_RESISTANT 1 |
Enable timing resistant big integer functions Enabled by default when the above is enabled DISABLE AT YOUR OWN RISK!
sanity #defines — do not edit below this line!
| #define SHARKSSL_ENABLE_CERT_KEYUSAGE 0 |
Automatic certificate cloning - always enabled.
Select 1 to enable parsing KeyUsage and ExtendedKeyUsage in the certificates
| #define SHARKSSL_ENABLE_INFO_API 1 |
Enable/disable support for encrypted PKCS#8 certificates in sharkssl_PEM function (requires SHARKSSL_ENABLE_AES_CBC)
Enable/disable SharkSslCon_getCiphersuite
| #define SHARKSSL_MD5_SMALL_FOOTPRINT 0 |
Select 1 (small ROM footprint, slow) or 0 (large, fast)
SHA 384 is only available in small footprint version, being the fast version only 20% faster at the expense of an 8x code size (benchmarked on ARM Cortex M3)
| #define SHARKSSL_RNG_MULTITHREADED 1 |
Setting this macro to 1 enables the usage of sharkssl_rng in a multithreaded environment.
Please remember to initialize the RNG by calling sharkssl_entropy at least once before calling sharkssl_rng