From ccfc1ffbe41fdc8761a392500b8f388d4f4abec0 Mon Sep 17 00:00:00 2001 From: Lealem Amedie Date: Fri, 8 Sep 2023 09:25:26 -0600 Subject: [PATCH] Update manual to reflect WOLFSSL_SP_CACHE_RESISTANT now on by default --- wolfSSL/src/chapter02.md | 8 ++++++++ wolfSSL/src/chapter04.md | 2 +- 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/wolfSSL/src/chapter02.md b/wolfSSL/src/chapter02.md index 8b7a0daf..91d8d6ad 100644 --- a/wolfSSL/src/chapter02.md +++ b/wolfSSL/src/chapter02.md @@ -1365,6 +1365,14 @@ Enable Max Strength build, allows TSLv1.2-AEAD-PFS ciphers only Disable Hardened build, Enables Timing Resistance and Blinding +To disable via user_settings.h the equivalent settings would be: + +* `#define WC_NO_CACHE_RESISTANT` +* `#define WC_NO_HARDEN` +* Remove the setting `WC_RSA_BLINDING` if present or un-define it +* Remove the setting `ECC_TIMING_RESISTANT` if present or un-define it +* Remove the setting `TFM_TIMING_RESISTANT` if present or un-define it + ### `--enable-ipv6` Enable testing of IPv6, wolfSSL proper is IP neutral diff --git a/wolfSSL/src/chapter04.md b/wolfSSL/src/chapter04.md index b6c91851..778ce958 100644 --- a/wolfSSL/src/chapter04.md +++ b/wolfSSL/src/chapter04.md @@ -696,7 +696,7 @@ See also: [`--disable-harden`](chapter02.md#--disable-harden) Timing resistance and cache resistance defines enabled with `--enable-harden`: -* `WOLFSSL_SP_CACHE_RESISTANT`: Enables logic to mask the address used. +* DEPRECATED: `WOLFSSL_SP_CACHE_RESISTANT`: Always on by default, see [`--disable-harden`](chapter02.md#--disable-harden) to disable default cache resistance. * `WC_RSA_BLINDING`: Enables blinding mode, to prevent timing attacks. * `ECC_TIMING_RESISTANT`: ECC specific timing resistance. * `TFM_TIMING_RESISTANT`: Fast math specific timing resistance.