1 (edited by qiwycuxe 2022-08-06 11:24:42)

Topic: [SOLVED] --enable-sp results in invalid Certificate Verify signature

I'm trying out wolfSSL and have created a simple server application that currently only accepts a connection and does the TLS handshake. It works fine, but when I configure with --enable-sp, the handshake seems to fail because of an invalid Certificate Verify signature. I'm using TLS 1.3 and the signature algorithm is ecdsa_secp256r1_sha256.

Some tests also fail with --enable-sp:

ecc_test_curve_size 32 failed!: -9912
ECC      test failed!
 error = -9912

FAIL: scripts/unit
==================

starting unit tests...
 Begin API Tests
In verification callback, error = 0, unknown error number
In verification callback, error = -188, ASN no signer error to confirm failure
   wolfSSL_Init(): passed
   test_wolfSSL_ERR_strings: passed
   wolfSSL_CTX_use_certificate_buffer(): passed
    Peer certs: 1
    Subject's domain name at 0 is www.wolfssl.com
    Peer certs: 1
    Subject's domain name at 0 is www.wolfssl.com
    Allowing failed certificate check, testing only (shouldn't do this in production)
error = -312, error during decryption
error = -308, error state on socket

ERROR - tests/api.c line 6156 failed with:
    expected: client_args.return_code is true
    result:   client_args.return_code => FALSE

FAIL scripts/unit.test (exit status: 134)
./configure \
  --enable-sp \
  --enable-rng \
  --enable-aesni \
  --enable-intelasm \
  --enable-curve25519 \
  --disable-oldtls \
  --disable-tlsv12
$ curl -v -k https://localhost
*   Trying 127.0.0.1:443...
* Connected to localhost (127.0.0.1) port 443 (#0)
* ALPN: offers h2
* ALPN: offers http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (OUT), TLS alert, decrypt error (563):
* error:1417B07B:SSL routines:tls_process_cert_verify:bad signature
* Closing connection 0
curl: (35) error:1417B07B:SSL routines:tls_process_cert_verify:bad signature
$ uname -a
Linux x 5.18.13-arch1-1 #1 SMP PREEMPT_DYNAMIC Fri, 22 Jul 2022 13:05:04 +0000 x86_64 GNU/Linux
$ git log
commit 99dad9134425d37ee45cc61524892b7e638c706a (grafted, HEAD -> master, origin/master, origin/HEAD)
Author: David Garske <david@wolfssl.com>
Date:   Thu Aug 4 08:41:26 2022 -0700

    Merge pull request #5435 from douzzer/20220803-gcc-12-ASAN

    20220803-gcc-12-ASAN

Any idea what the problem might be?

Share

Re: [SOLVED] --enable-sp results in invalid Certificate Verify signature

Sorry for the noise, guys! Using both --enable-sp and --enable-sp-asm solved the problem (although ./configure --help says that --enable-sp-asm is enabled by default on x86_64).

Share