Topic: ECC Signing/Encryption with Custom RNG

Hi I am developing firmware for an embedded device, and I would like to use the WolfCrypt library for encryption, and digital signing.

I am trying to make use of the ECC methods however when attempting to use my board's HWRNG I am unable to generate ECC keys.

#undef CUSTOM_RAND_TYPE
#define CUSTOM_RAND_TYPE uint32_t
extern uint32_t custom_rand_generate(byte* data, word32 len);
#undef CUSTOM_RAND_GENERATE
#define CUSTOM_RAND_GENERATE custom_rand_generate

Below is a rough outline of what I have. This will compile however key generation and signing will always fail with -173 and -170 respectively

uint32_t custom_rand_generate(byte* data, word32 len) {
        return MXC_TRNG_Random(data, len);
}

int asym_sign(uint8_t *ciphertext, size_t len) {
        ecc_key key;
        int makeKey, eccInit, rngInit;
        int rngCheck;
        byte rng;

        rngInit = MXC_TRNG_Init();
        rngCheck = custom_rand_generate(&rng, 256);

        eccInit = wc_ecc_init(&key);
        makeKey = wc_ecc_make_key(/* TODO PASS RNG */, ECC_KEY_SIZE, &key);
}

Share

2 (edited by groovytacocat 2024-02-18 12:34:43)

Re: ECC Signing/Encryption with Custom RNG

To update this I have NO_HASHDRBG, CUSTOM_RAND_GENERATE, CUSTOM_RAND_GENERATE_SEED

int custom_rand_generate_block(byte* data, word32 len) {
    return MXC_TRNG_Random(data, len);
}

unsigned int my_rng_seed_gen(void) {
    return MXC_TRNG_RandomInt();
}

I've tested these methods and they successfully generate random values. However it seems the wc_RngInit() will fail every time with error -199.

Looking at random.c/random.h it seems that RngInit will fail every time because of the if (rng == NULL) check and never makes it further into the function where the #if CUST etc... is located.

Would love for some guidance on this as I don't understand how to use the hardware's TRNG in combination with wc_InitRNG() and the rest of the crypto functionality

Share

Re: ECC Signing/Encryption with Custom RNG

Hello groovytacocat,

Welcome to the wolfSSL forums!

There are two method for using a custom RNG source with wolfSSL:
"Custom Seed Source" using CUSTOM_RAND_GENERATE to seed the P-RNG
or
"Bypass P-RNG and use only HW RNG" using CUSTOM_RAND_GENERATE_BLOCK

By setting NO_HASHDRBG, you are disabling the P-RNG, but you have not defined CUSTOM_RAND_GENERATE_BLOCK

Please try removing the define for NO_HASHDRBG


Could you tell us a bit more about your project using wolfSSL? Feel free to email us at support@wolfssl.com if you'd prefer a more private venue.

Thanks,
Eric - wolfSSL Support

4 (edited by groovytacocat 2024-02-19 16:22:02)

Re: ECC Signing/Encryption with Custom RNG

Hello Eric,

Thanks for the quick reply! After some debugging, I discovered that my #def/undef macros were not being included/recognized.

This project is designing firmware for the MAX78000fthr board for the MITRE eCTF.

I am very new to programming in general, so apologies for any poor documentation or explanations. I had a user_settings.h file (mostly copied from the GCC-ARM example) with the macros I needed defined, however the project is compiled by a large Makefile provided by MITRE and I am unsure how it is building the library beyond using some/all of the gcc-arm-eabi-none settings/flags from the cross-compile example in the manual.

My solution that appears to work as expected was placing my user_settings.h macros in the wolfssl/wolfcrypt/settings.h file. The project now compiles the binaries and they function without errors (at least none so far lol)


EDIT: I am able to successfully encrypt a plaintext message, hash that ciphertext, then create an ecc_key and sign the hash digest

However when I follow up with immediately using wc_ecc_verify_hash and pass the ecc_key generated by wolfcrypt I get the error ASN_ECC_KEY_E and I'm not sure why it's trying to parse an ASN sequence

My test is similar to the example https://github.com/wolfSSL/wolfssl-exam … ecc-sign.c here

Share

Re: ECC Signing/Encryption with Custom RNG

Ok I have most/all of the things that were broken/failing fixed!

The only issue I have as of now is a way for my user settings to be included without having to edit the wolfssl/wolfssl/wolfcrypt/settings.h file

Share

Re: ECC Signing/Encryption with Custom RNG

Add this option to the compiler CFLAGS "-DWOLFSSL_USER_SETTINGS"

Re: ECC Signing/Encryption with Custom RNG

embhorn wrote:

Add this option to the compiler CFLAGS "-DWOLFSSL_USER_SETTINGS"

Once I add this do I just need to leave my user_settings.h file in the directory that I have other header files in>?

Share

Re: ECC Signing/Encryption with Custom RNG

Yes, as long as the user_settings.h file is in the include path it will be used.

Re: ECC Signing/Encryption with Custom RNG

embhorn wrote:

Yes, as long as the user_settings.h file is in the include path it will be used.

I've added that flag to the Makefile, and have user_settings in my project's inc directory but when I go to compile everything I get a failure for undefined references and unknown types for things I have defined in user_settings

Is there somewhere in the wolfssl directory that it needs to be in?

For reference my user_settings.h is:

#ifndef WOLFSSL_USER_SETTINGS
#define WOLFSSL_USER_SETTINGS

#ifdef __cplusplus
extern "C" {
#endif

#define BLOCK_SIZE AES_BLOCK_SIZE
#define KEY_SIZE 32
#define HASH_SIZE SHA256_DIGEST_SIZE

#define HAVE_ECC_VERIFY
#define HAVE_ECC256

#undef WC_NO_HASHDRBG
#define WC_NO_HASHDRBG

#undef CUSTOM_RAND_TYPE
#define CUSTOM_RAND_TYPE int

#undef CUSTOM_RAND_GENERATE
#define CUSTOM_RAND_GENERATE rand_gen
extern unsigned int rand_gen(void);

#undef  CUSTOM_RAND_GENERATE_BLOCK
#define CUSTOM_RAND_GENERATE_BLOCK  custom_rand_generate_block
extern unsigned int custom_rand_generate_block(unsigned char* data, unsigned int len);

#undef NO_RSA
#define NO_RSA

#undef WOLFSSL_SHA3
#define WOLFSSL_SHA3

#undef  NO_CRYPT_BENCHMARK
#define NO_CRYPT_BENCHMARK

#undef  NO_CRYPT_TEST
#define NO_CRYPT_TEST

#undef  NO_FILESYSTEM
#define NO_FILESYSTEM

#undef  NO_WRITEV
#define NO_WRITEV

#undef  NO_MAIN_DRIVER
#define NO_MAIN_DRIVER

#undef  NO_DSA
#define NO_DSA

#undef  NO_RC4
#define NO_RC4
#ifdef __cpluplus
}
#endif //END OF C++
#endif //END WOLFSSL_USER_SETTINGS

Share