1 (edited by mkey 2012-01-06 08:41:17)

Topic: Custom Compile

Hi people.

I have a problem with a custom compiled CyaSSL embedded SSL library. I'm using:
- CyaSSL embedded SSL package (v 2.0.2)
- Windows 7 64 bit platform
- Pelles C compiler RC4, the 32 bit version
- MASM32 project

I have been trying to compile the library so it would be linkable in my MASM project and where VC++ 6.0 and 8.0 Express have failed, Pelles C managed to give me a library with unmangled function names. Some of the project options I used to compile the library are:
- stcall function calls
- single threaded library
- undecorate exported functions option checked
- preprocessor directives: OPENSSL_EXTRA CYASSL_RIPEMD CYASSL_SHA512 NO_PSK WIN32 SINGLE_THREADED

The custom project was built following your guidelines from the manual, that is copy all the .c files in one folder and .h files into the other. I have changed a bit the directory structure, but the whole thing compiles without problems, I just get a few warnings

\Pelles C Projects\cyassl-barebone\cyassl\internal.h(1154): warning #2135: Static 'tls_client' is not referenced.
\Pelles C Projects\cyassl-barebone\cyassl\internal.h(1152): warning #2135: Static 'server' is not referenced.

The output is a 292kb cyassl.lib. Once I insert the library into my MASM project the only thing needed for a successful build is the crt.lib library.

This would be a part of the function flow I'm trying to create

    invoke CyaSSL_library_init
    cmp eax,SSL_SUCCESS
    jne @quit
    
    invoke CyaSSLv3_client_method
    mov meth,eax
    invoke CyaSSL_CTX_new,meth
    mov ctx,eax
    invoke CyaSSL_CTX_load_verify_locations,ctx,offset _cert,0
    
    invoke CyaSSL_new,ctx
    mov ssl,eax

Note: the function CyaSSL_Init according to the manual returns a "1" if successful, while in fact it returns a 0 if everything went OK.

int CyaSSL_library_init(void)
{
    CYASSL_ENTER("SSL_library_init");
    if (CyaSSL_Init() == 0)
        return SSL_SUCCESS;
    else
        return SSL_FATAL_ERROR;
}

The function CyaSSLv3_client_method never returns and throws an exception in nt.dll. I have traced a bit the flow of the function.

Firstly the VirtualAlloc function is called with following parameters
Address=0
Size=0
AllocType=MEM_RESERVE
Protect=PAGE_NOACCESS

The return value iz NULL and the last error call gives "00000057 ERROR_INVALID_PARAMETER".

The execution crashes on an RtlHeapAlloc call, with "Access violation when reading [00000044]".

The RtlHeapAlloc function is invoked with following parameters
Heap= NULL
Flages= HEAP_NO_SERIALIZE
Size=7

Any light you may shed on this issue will be more then welcomed. If you need any of the sources I'll gladly attach them.

Share

Re: Custom Compile

OK, I "bypassed" these issues by compiling the library as a dll and linking to it dynamically. I would still like to get the statical library, though.

This second issue I have doesn't really relate to this problem, it's more of a continuation of my SSL pain and suffering.

Whatever I do, I can't connect to pop.gmail.com in a secure fashion. I'm able to bypass the cert check with

invoke CyaSSL_CTX_set_verify,ctx,SSL_VERIFY_NONE,0

which will be good enough for now I guess, but I would like to have things working properly. These are the steps I have taken

1. used mozilla firefox to export the two certificates which I assumed should be relevant for Google mail servers.

http://i.imgur.com/3WBcs.gif

I suppose the top one is the top of the chain, is the correct? Exported both certificates, they had a crt extension which I just renamed to pem and placed in my program directory. I tried using all of these functions

invoke CyaSSL_CTX_load_verify_locations,ctx,offset _cert,0
invoke CyaSSL_CTX_use_certificate_file,ctx,offset _cert,SSL_FILETYPE_PEM
invoke CyaSSL_CTX_use_certificate_chain_file,ctx,offset _cert

on both certificate files, but calls to connect and read functions result in "asn sig error, confirm failure" error.

Any insight into this problem would be welcome.

Share

Re: Custom Compile

Hi mkey,

Can you try testing your code with the most recent CyaSSL code on GitHub (https://github.com/cyassl/cyassl)?  We've changed a few things regarding CA Basic Constraints recently which looks like it might make a difference.  Also, note that you can build CyaSSL with --enable-debug and then call CyaSSL_Debugging_ON() from your application for more verbose debug information from CyaSSL.

As you know, set SSL_VERIFY_PEER, using:

CyaSSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, 0);

It looks like you have found the correct certificate chain, yes.  I downloaded the Equifax Secure Certificate Authority from here:  https://www.geotrust.com/resources/root-certificates/.

With CyaSSL (version >= 2.0), only the top or root certificate of the chain is required to be loaded as a trusted certificate in order to properly verify the chain.  So, in your case, you could load the equifax CA cert like this (where equifaxCert is the path to your Equifax CA Cert):

CyaSSL_CTX_load_verify_locations(ctx, equifaxCert, 0)

This will return SSL_SUCCESS upon success.  I tried this using our example client after making the above cert modifications (./examples/client/client pop.gmail.com 995) and it was able to connect to pop.gmail.com.

Note: the function CyaSSL_Init according to the manual returns a "1" if successful, while in fact it returns a 0 if everything went OK.

Thanks for the heads up on this.  We'll make sure the docs and/or code get changed to clear this up.

Regards,
Chris

Re: Custom Compile

Thanks a lot for your response, I'll check this out in the coming days, currently I'm working on other parts of my project.

Share

5 (edited by mkey 2012-01-16 05:42:44)

Re: Custom Compile

Hmh, I got the code from the hub but it seems some include files were missing so I combined the new source with the previous source version while keeping the newer files. Now I get some linking errors

io.obj : error LNK2001: unresolved external symbol _recv@16
io.obj : error LNK2001: unresolved external symbol _WSAGetLastError@0
io.obj : error LNK2001: unresolved external symbol _send@16
random.obj : error LNK2001: unresolved external symbol __imp__CryptReleaseContext@8
random.obj : error LNK2001: unresolved external symbol __imp__CryptGenRandom@12
random.obj : error LNK2001: unresolved external symbol __imp__CryptAcquireContextA@20
ssl.obj : error LNK2001: unresolved external symbol _closesocket@4

winsock32.h at least seems to be included.

Is this the correct set of precompile definitions?

OPENSSL_EXTRA,CYASSL_RIPEMD,CYASSL_SHA512,NO_PSK,SINGLE_THREADED,NO_CYASSL_SERVER,_WINDLL,_AFXDLL,_WIN32

EDIT:

Ignore this lol I just need to add the winsock lib in project properties, dozens of those project properties tabs are a bit hard to navigate for me.

These definitions worked as I would like them to

OPENSSL_EXTRA,CYASSL_RIPEMD,CYASSL_SHA512,NO_PSK,SINGLE_THREADED,NO_CYASSL_SERVER,_WIN32,CYASSL_DLL,BUILDING_CYASSL

Share

Re: Custom Compile

Glad to hear you got it worked out.  So, things are working correctly now?

- Chris

Re: Custom Compile

Hi Chris and sorry, I wanted to add to my previous reply but I got swamped at work.

invoke CyaSSL_CTX_set_verify,ctx,1,0

invoke CyaSSL_CTX_load_verify_locations,ctx,offset _cert1,0

invoke CyaSSL_new,ctx
mov ssl,eax
invoke CyaSSL_set_fd,ssl,hSocket
    
invoke CyaSSL_connect,ssl

This is what I used but still a nogo, I get the same error. I'll dig in a bit into the subject tomorrow and recompile with logging turned on.

I tried with both relative and absolute paths to the cert file, don't know if that's supposed to make any difference. Also, I downloaded this cert file.

Share

Re: Custom Compile

OK, here's the log

logLevel = 2
pMsg = CyaSSL Entering CyaSSL_Init
logLevel = 2
pMsg = CyaSSL Entering SSLv3_client_method
logLevel = 2
pMsg = CyaSSL Entering CYASSL_CTX_new
logLevel = 3
pMsg = CyaSSL Leaving CYASSL_CTX_new, return 0
logLevel = 2
pMsg = CyaSSL Entering CyaSSL_CTX_set_verify
logLevel = 2
pMsg = CyaSSL Entering SSL_CTX_load_verify_locations
logLevel = 1
pMsg = Processing CA PEM file
logLevel = 2
pMsg = CyaSSL Entering SSL_new
logLevel = 3
pMsg = CyaSSL Leaving SSL_new, return 0
eax = 02025158, ssl
logLevel = 2
pMsg = CyaSSL Entering SSL_set_fd
logLevel = 3
pMsg = CyaSSL Leaving SSL_set_fd, return 1
logLevel = 2
pMsg = CyaSSL Entering SSL_read()
logLevel = 2
pMsg = CyaSSL Entering ReceiveData()
logLevel = 1
pMsg = Handshake not complete, trying to finish
logLevel = 2
pMsg = CyaSSL Entering CyaSSL_negotiate
logLevel = 2
pMsg = CyaSSL Entering SSL_connect()
logLevel = 1
pMsg = connect state: CLIENT_HELLO_SENT
logLevel = 1
pMsg = growing input buffer
logLevel = 1
pMsg = received record layer msg
logLevel = 2
pMsg = CyaSSL Entering DoHandShakeMsg()
logLevel = 1
pMsg = processing server hello
logLevel = 3
pMsg = CyaSSL Leaving DoHandShakeMsg(), return 0
logLevel = 1
pMsg = More messages in record
logLevel = 1
pMsg = received record layer msg
logLevel = 2
pMsg = CyaSSL Entering DoHandShakeMsg()
logLevel = 1
;<------------------------------------------ interesting bit starts here
pMsg = processing certificate
logLevel = 1
pMsg = Loading peer's cert chain
logLevel = 1
pMsg =     Put another cert into chain
logLevel = 1
pMsg =     Put another cert into chain
logLevel = 1
pMsg =     Put another cert into chain
logLevel = 1
pMsg = Found Basic CA constraint
logLevel = 1
pMsg = Found optional critical flag, moving past
logLevel = 1
pMsg = About to verify certificate signature
logLevel = 1
pMsg = No CA signer to verify with
logLevel = 1
pMsg = Failed to verify CA from chain
logLevel = 1
pMsg = Found Basic CA constraint
logLevel = 1
pMsg = Found optional critical flag, moving past
logLevel = 1
pMsg = About to verify certificate signature
logLevel = 1
pMsg = No CA signer to verify with
logLevel = 1
pMsg = Failed to verify CA from chain
logLevel = 1
pMsg = Veriying Peer's cert
logLevel = 1
pMsg = About to verify certificate signature
logLevel = 1
pMsg = No CA signer to verify with
logLevel = 1
pMsg = Failed to verify Peer's cert
logLevel = 3
pMsg = CyaSSL Leaving DoHandShakeMsg(), return -155
logLevel = 0
pMsg = CyaSSL error occured, error = -155
;<------------------------------------------ interesting bit ends here
logLevel = 3
pMsg = CyaSSL Leaving CyaSSL_negotiate, return -1
logLevel = 3
pMsg = CyaSSL Leaving SSL_read(), return -1
eax = FFFFFFFF, read
logLevel = 2
pMsg = CyaSSL Entering SSL_get_error
logLevel = 3
pMsg = CyaSSL Leaving SSL_get_error, return -155
logLevel = 2
pMsg = CyaSSL Entering ERR_error_string
offset err_buf = ASN sig error, confirm failure
ssl error
logLevel = 2
pMsg = CyaSSL Entering SSL_shutdown()
logLevel = 3
pMsg = CyaSSL Leaving SSL_shutdown(), return -155
logLevel = 2
pMsg = CyaSSL Entering SSL_free
logLevel = 1
pMsg = CTX ref count not 0 yet, no free
logLevel = 1
pMsg = Shrinking input buffer
logLevel = 2
pMsg = CyaSSL Entering BIO_free
logLevel = 3
pMsg = CyaSSL Leaving SSL_free, return 0
logLevel = 2
pMsg = CyaSSL Entering SSL_CTX_free
logLevel = 1
pMsg = CTX ref count down to 0, doing full free
logLevel = 3
pMsg = CyaSSL Leaving SSL_CTX_free, return 0

Share

Re: Custom Compile

Hi mkey,

It looks like verification of the peer certificates is failing - possibly due to the incorrect CA cert being loaded.  Can you verify once again that you converted the certificate (Equifax_Secure_Certificate_Authority_DER.cer) to PEM format before loading it with CyaSSL_CTX_load_verify_locations(), and that this is the CA cert you are loading?

You can convert the certificate using the OpenSSL command line tool:

openssl x509 -inform der -in Equifax_Secure_Certificate_Authority_DER.cer -out Equifax_Secure_Certificate_Authority.pem

Chris

10 (edited by mkey 2012-01-19 23:35:11)

Re: Custom Compile

Hi chrisc, even without verification I can confirm I haven't converted anything big_smile

That must be the problem, I'll do it this afternoon and let you know about the results.

Alternately, I can just use the certificate exported from Firefox?

Share

Re: Custom Compile

OK, finally got around to it. It's working normally when PEM format is used, thanks.

I used the openssl program to convert from DER, some online converter and a directly exported file in PEM format, they all worked. Well, they all gave exactly the same PEM file.

However, I'd like to ask for some guidance to the process of choosing the correct CA file. For instance:

(this is from Firefox certificate manager, servers tab)

http://i.imgur.com/alAjo.gif

None of these CAs will work, exported them in PEM format directly.

(authorities tab)

http://i.imgur.com/9k7Po.gif

Here, only the "Exuifax Secure CA" will work, the google one will not.

(from the address bar icon)

http://i.imgur.com/myIdQ.gif

I tried exporting all of these, none work, again PEM format.

What would be the process for obtaining (just an example) Yahoo Mail or Hotmail CA files which could be used for CyaSSL?

Share

Re: Custom Compile

"I tried exporting all of these, none work, again PEM format."

What do you mean by none work?  The export failed, if so, how?  The CyaSSL CTX load in PEM failed, if so, how?  The SSL connect failed, if so, how?

In your example, only the Root certificate, the one starting with "Builtin Object" will need to be loaded.  In my Firefox I can export a certificate with the Format "X.509 Certificate (PEM)" which CyaSSL should have no trouble loading.

Share

Re: Custom Compile

They all were exported but they gave errors when trying to connect. Exactly the same scenario as above.

Share

Re: Custom Compile

Part of the problem is probably that sites often use redirection, sometimes multiple, depending on the address used, current login status, etc.  For example, hotmail may take you to the login which has a different certificate and chain than the actual mail certificate and chain.  When you connect directly with CyaSSL you are first having to go through the login process I'm guessing.  Maybe you should start with some simpler fixed certificate sites?  The CyaSSL example echoserver is a verify simple https web server.

Share

Re: Custom Compile

Yeah, Hotmail likes to bounce around. This isn't exactly detrimental to my needs, as long as I can skip CA check altogether, but usually I like doing things properly.

Share