SharkSSL™ Embedded SSL/TLS Stack
SharkSsl Configuration (macros)

Detailed Description

Add/remove SharkSSL features and/or optimize for speed versus size.

more stuff here. Fixme.


 HASH algorithms


#define SHARKSSL_USE_AES_256   1
 Enable/disable AES 256.
#define SHARKSSL_USE_AES_128   1
 Enable/disable AES 128.
#define SHARKSSL_USE_AES_192   0
 AES-192 is not used in SSL/TLS enable only if needed in application using the crypto API.
 AES-GCM require AES: relevant ciphersuites are included.
 AES-CCM require AES: only for crypto functions - CCM TLS ciphersuites removed.
 AES-CBC require AES: CBC TLS ciphersuites removed for crypto functions and PEM certificate decryption.
 Enable/disable CHACHA20 support and also include CHACHA20-POLY1305 ciphersuites when TLS1.2 and POLY1305 are enabled (SHARKSSL_USE_POLY1305)
 select 1 to enable SERVER side TLS
 select 1 to enable client authentication from server
 select 1 to enable CLIENT side TLS
 select 1 to enable support for Server Name Indication
 select 0 to disable RSA ciphersuites
 select 1 to enable session caching
 select 1 to enable renegotiation only secure renegotiation (RFC5746) is supported
 select 1 to enable DHE_RSA ciphersuites
 Enable/disable the SharkSslCon_selectCiphersuite API.
 Determine the number of ciphersuites that can be selected, in decreasing order of preference; this value is only in effect if the SHARKSSL_ENABLE_SELECT_CIPHERSUITE is selected.
 Enable/disable ALPN API (support for ALPN extension, RFC 7301)
 Enable/disable RSA API (sharkssl_RSA_public_encrypt, sharkssl_RSA_private_decrypt, sharkssl_RSA_private_encrypt, sharkssl_RSA_public_decrypt, SharkSslRSAKey_size)
 Enable/disable PKCS1 padding in RSA API (SHARKSSL_ENABLE_RSA_API must be enabled) note: always enabled when SSL client or server enabled.
 Enable/disable OAEP padding in RSA API (SHARKSSL_ENABLE_RSA_API must be enabled)
 Enable/disable ECDSA API (sharkssl_ECDSA_sign, sharkssl_ECDSA_verify, SharkSslECDSA_siglen)
 Disable ECDSA sign API functions (sharkssl_ECDSA_sign, SharkSslECDSA_siglen) - effective only if ECDSA API is compiled (SHARKSSL_ENABLE_ECDSA_API must be enabled) and no SSL/TLS library used (only RayCrypto); used to achieve minimum code size.
 select 1 to enable PEM certs/keys decoding if RSA_API is enabled, then also the functions sharkssl_PEM_to_RSAKey and SharkSslRSAKey_free are available if ECDSA_API is enabled, then also the functions sharkssl_PEM_to_ECCKey and SharkSslECCKey_free are available
 Enable/disable support for encrypted PKCS#8 certificates in sharkssl_PEM function (requires SHARKSSL_ENABLE_AES_CBC)
 Enable/disable SharkSslCon_getCiphersuite.
 select 1 to enable certificate chain support
 select 1 to enable CA check (client or server with client auth)
 select 1 to enable certificate storage
 select 1 to enable automatic certificate cloning
 select 1 to enable parsing KeyUsage and ExtendedKeyUsage in the certificates
 select 1 (small ROM footprint, slow) or 0 (large, fast) More...
 Select 1 for smaller, but slower SHA256.
 select a window size between 1 (slower, less RAM) and 5
 select 0 (slower, less ROM) or 1 (20% faster, more ROM)
 select 1 to include AES CTR mode (USE_AES_xxx must be enabled)
 select 0 (35% less ROM) or 1 (10-15% faster)
 select 1 if your architecture supports unaligned memory access (x86, ARM-Cortex-M3, ColdFire)
 select 8, 16 or 32 according to your architecture
#define SHARKSSL_USE_ECC   1
 Elliptic Curve Cryptography.
 select 1 to enable generation and verification of elliptic curve digital signatures
 select 1 to verify that a point lies on a curve verification in function SharkSslECNISTCurve_setPoint -larger ROM (parameter B for each curve stored, more code) -slightly slower execution
 Enable timing resistant.
#define SHARKSSL_ECC_USE_SECP256R1   1
 Enable/disable the SECP256R1 curve.
#define SHARKSSL_ECC_USE_SECP384R1   1
 Enable/disable the SECP384R1 curve.
#define SHARKSSL_ECC_USE_SECP521R1   1
 Enable/disable the SECP521R1 curve.
 Enable/disable the brainpoolP256r1 curve (RFC5639)
 Enable/disable the brainpoolP384r1 curve (RFC5639)
 Enable/disable the brainpoolP512r1 curve (RFC5639)
 select 1 to enable ECDHE_RSA ciphersuites (RFC 4492) Elliptic Curve Cryptography (SHARKSSL_USE_ECC) must be enabled
 select 1 to enable ECDHE_ECDSA ciphersuites (RFC 4492) Elliptic Curve Cryptography (SHARKSSL_USE_ECC) must be enabled SHARKSSL_ENABLE_ECDSA must be set
 Enabling big integer assembler library requires SharkSslBigInt_XX.s.
 Enabling assembler optimized CHACHA requires SharkSslCrypto_XX.s.
 Enabling assembler optimized POLY requires SharkSslCrypto_XX.s.
 Setting this macro to 1 enables TINYMT32 and disables other RNG's Please notice that the TinyMT is not recommended for cryptographic applications The SharkSSL implementation passed anyway the bbattery_FIPS_140_2 test of TestU01 (
 Setting this macro to 1 enables Fortuna RNG's Suitable to cryptographic applications SHARKSSL_USE_RNG_TINYMT must be disabled AES 256 and SHA 256 must be enabled The SharkSSL implementation passed the bbattery_FIPS_140_2 test of TestU01 (
 Setting this macro to 1 enables the usage of sharkssl_rng in a multithreaded environment. More...
 Do not pack option.
 SharkSslCon_trusted also checks certificate expiration and returns SharkSslConTrust_CertCnDate if date(s) are within: timeFrom <= now and timeTo >= now This setting requires baGetUnixTime() returning the correct time.

Macro Definition Documentation



select 1 (small ROM footprint, slow) or 0 (large, fast)

SHA 384 is only available in small footprint version, being the fast version only 20% faster at the expense of an 8x code size (benchmarked on ARM Cortex M3)



Setting this macro to 1 enables the usage of sharkssl_rng in a multithreaded environment.

Please remember to initialize the RNG by calling sharkssl_entropy at least once before calling sharkssl_rng