Topic: wolfSSL in OS less environment

Hi,

I am trying to use the wolfssl-1.6.5 library (TLS part) in OS less environment for which I need embedded SSL. I found that wolfssl-1.6.5 uses heavy memory management and pointers. Library has defined xmalloc functions for memory management when used with NO_FILESYSTEM macro.

I am facing problem for this memory management. How to implement this memory management using xmalloc functions?

Vishal N

Share

Re: wolfSSL in OS less environment

First off, I'd recommend using the latest version, 1.8.0.

wolfSSL does use pointers, it allows flexibility in the design and memory usage.

What do you mean by heavy memory management?  You can use the fast-math library to reduce all dynamic memory use for public key crypto, which is the main consumer of dynamic memory.

NO_FILESYSTEM is completely independent of dynamic memory.

If you want to write your own XMALLOC routine, by all means, write it.  The prototype is in types.h.  You can ignore the "extra" parameters if you wish, or use them however you like.

Share

3 (edited by vishaln 2011-01-17 20:52:23)

Re: wolfSSL in OS less environment

Hi Todd,

I am trying to use the TLS1.2 from the wolfSSL library. There I found that by default library reads the certificate from the file system using fopen and fclose functions. As I am working in OS less environment I have stored these certificates in buffer and uses functions,

wolfSSL_CTX_use_certificate_buffer
wolfSSL_CTX_use_PrivateKey_buffer

to load the certificates. These functions internally uses "PemToDerBuffer" function to convert the certificate in DER format. This "PemToDerBuffer" function uses the XMALLOC to allocate memory of certificate size to store the cetrtificate. Can we bypass this memory allocation as I am working in OS less environment? Or do I need to implement the memory management using XMALLOC AND XFREE functions for these calls?

Vishal N

Share

Re: wolfSSL in OS less environment

wolfSSL tries to be flexible in this area.  If it didn't use any dynamic memory static buffers would have to be created at the max size for all possible uses.  32kB for input/output, 12kB per certificate per type (in case conversion is necessary), 4kB per key for all types, etc...  In the case where someone just wanted to use PreSharedKeys with small data buffers they'd be paying for 100kB of stack memory use, memory that might not be available.

I suppose wolfSSL could have a build option to use static buffers of reasonable size for keys and certificates.

But currently, your best bet is to implement XMALLOC and XFREE.  You could simply have several static buffers that you use for these functions.  Your compiler doesn't provide any dynamic memory use? I'm not sure I've seen that even without an OS.

Share

5 (edited by vishaln 2011-01-23 08:09:40)

Re: wolfSSL in OS less environment

I am getting run time error to mp_int variable which is in integer.c file. Can any one tell me any way to resolve this error?

Error is not during compile time, while execution my MPLAB IDE gets crashed.

Is there any compiler settings which need to do to avoid this error? I am working on OS less environment.

Vishal N

Share

Re: wolfSSL in OS less environment

Are you compiling integer.c or tfm.c (with the USE_FAST_MATH option)?

If you are using fast math try defining TFM_TIMING_RESISTANT to reduce the runtime stack size.

If you're using integer.c, which function in that file is causing the crash?

Share

7 (edited by vishaln 2011-01-25 07:03:28)

Re: wolfSSL in OS less environment

Hi,

I am facing problem for MP_8BIT. MP calculations are working when MP_8BIT macro is defined. But again execution fails at the time of creating the Signer object.

I am using 32 bit micro controller.  Can you tell me how to use this MP for 32bit micro controller?

Vishal N

Share

Re: wolfSSL in OS less environment

So is MP_8BIT working or not, I'm a little confused.

mp_word needs to be at least twice as big as mp_digit.  When MP_8BIT is defined mp_digit is char and mp_word is short.  Probably 8 and 16bits, but can you verify that?  How many bits is long, what about long long?

Are you defining SIZEOF_LONG or SIZEOF_LONG_LONG?  What compiler are you using?

Which function is causing the problem? MakeSigner() has nothing to do with mp_ints.  Is it possible you're running out of memory on the malloc call in MakeSigner() and that's causing the problem?

Share

9 (edited by vishaln 2011-01-25 23:04:38)

Re: wolfSSL in OS less environment

I have tried defining both the macros and below is my findings,

MP_8BIT works for mp_init and related functions but application crashes in "MakeSigner" function.

MP_16BIT works for "MakeSigner" functions but then application crashes in mp_init and mp_grow functions.

I have defined,

#define SIZEOF_LONG 4
#define SIZEOF_LONG_LONG 8

mp_word size is 4 bytes and mp_digit size is 2 bytes.

I have implemented the XMALLOC, XREALLOC and XFREE which is managing the unsigned char buffer.

I am using MPLAB C compiler pic32-gcc. My micro controller is 32bit.

Vishal N

Share

Re: wolfSSL in OS less environment

Four things:

1) Since you have a 64bit type available there's no reason to define MP_8BIT or MP_16BIT.  Try removing those.

2) But it sounds like the problem is with memory.  MakeSigner(), mp_init(), and mp_grow() all have one thing in common, dynamic memory use.

3) You could also try defining USE_FAST_MATH and compiling tfm.c in place of integer.c.  Recompile everything and see how that goes.  It removes dynamic memory use from the big integer library but if you truly have a dynamic memory problem it will likely just show up someplace else.

4) Try running the code on a "full" system where you can use a memory debugger to track down any potential problems.

Share

Re: wolfSSL in OS less environment

Hi todd,

Thanks for the suggestion. By replacing the integer.c with tfm.c I got the project compiled and worked. But my TLS functionality is failing.

Now I want to test the TLS part of this. I want to use the "TLS_RSA_WITH_AES_256_CBC_SHA", can you please tell me where I need to do the configuration in library so it will work with this configuration?

Vishal N

Share

Re: wolfSSL in OS less environment

How is it failing?  When and what error?  Are you the client or server?  Which version of TLS?  What SSL library is on the other end?  Can you provide a wireshark trace of the interaction?  You can send that to me, todd @ yassl.com .  Thanks.

Share

13 (edited by vishaln 2011-01-28 04:28:53)

Re: wolfSSL in OS less environment

I am using wolfSSL-1.6.5, as I have already ported this library on OS less environment hence not using 1.8.0.

I am using the wolfSSL on both(client and server) the ends for TLS1.2. Client is on OS less environment and server is on PC(windows XP). I am trying to achieve the TLS1.2 in between these clients. I am getting bad certificate error for client certificate when it got transferred to server.

Initially server was not sending the certificate request to client, so I have  made ctx->verifypeer field to 1(one). Now it is sending the certificate request to client and client is sending the certificate as well. But I am getting the bad certificate(for client certificate) error at server side i.e. Alert(21) message with level 2(fatal) and description 42(Bad certificate). I have traced in and found that mismatch between "cert->issuerHash" and "signers->hash". Because of hash mismatch server is giving the bad certificate error.

I have used wolfSSL's server certificate(server-cert.pem) for server side and wolfSSL client certificate(client-cert.pem), and stored it in  C array(unsigned char) like below,

const unsigned char certBuffer[] = {"-----BEGIN CERTIFICATE-----\n\
....\n\
....\n\
....\n\
-----END CERTIFICATE-----\n"};

“…” replaces actual cert/key data. Is this the right way to store the certificate in C array(unsigned char) or do I need to copy complete file in C array(unsigned char)? This array is used directly by "PemToDerBuffer" function. Same way CA certificate and

CA cert file - ca-cert.pem
Server cert file – server-cert.pem
Server key file – server-key.pem
Client cert file – client-cert.pem
Client key file – client-key.pem

I have following questions,

1.    Do I need to implement the function “GenerateSeed”? if yes what will be output in case of OS less environment?
2.    I have made change in “ctx->verifypeer” field? Is it correct or should it be done by library itself? If yes what fields?
3.    Server is not sending the key? What could be the reason? do we need to do any change in library configuration like done for “ctx->verifypeer” field?
4.    I want to use “TLS_RSA_WITH_AES_256_CBC_SHA”, what kind of configuration settings I need to do in libraries?

If you have any document which describes all these things please let me know I will go through it.

Share

Re: wolfSSL in OS less environment

1) Yes, you need to implement GenerateSeed().  The output should be cryptographically secure random output.  Your hardware may offer that ability.

2) No, to get the server to send a certificate request you need to turn on peer verification on the server like this:

SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, 0);

The reason you're getting a verify error on the server for the client certificate is because you likely haven't loaded the client certificate as a verification certificate on the server side.  See the example server in server.c, specifically the line below the comment /* for client auth */.

3) The server should never it's private key.  The private key is meant to be private, otherwise you have no security at all.  The public key is sent in the certificate.

4)  TLS_RSA_WITH_AES_256_CBC_SHA is the default cipher suite that wolfSSL on both sides will negotiate so nothing needs to be done.

Share

15 (edited by vishaln 2011-01-29 05:59:03)

Re: wolfSSL in OS less environment

Thanks todd,

I got TLS1.2 working on OS less environment. I have replaced the tcp layer with USB.

Vishal N

Share

16 (edited by vishaln 2011-02-03 10:12:35)

Re: wolfSSL in OS less environment

Hi todd,

If i want to use TLS_DHE_RSA_WITH_AES_256_CBC_SHA want changes I need to do in library/code? i didn't find any information about this in documents.

What is default RSA number is set? RSA 2048 or RSA 1024?

Thanks in advanced.

Vishal N

Share

Re: wolfSSL in OS less environment

RSA bit strength is determined by the server's RSA key strength in the server's certificate.  If you want RSA 2048 make sure the server's RSA key pair and certificate is using RSA 2048.

The wolfSSL client will use TLS_DHE_RSA_WITH_AES_256_CBC_SHA by default if the server supports it.  The wolfSSL server doesn't currently support it.  But now that wolfSSL has key generation with the latest release it will be added into the next release or so.

Share

Re: wolfSSL in OS less environment

Hi todd,

I want to compile this library for windows 7 64 bit version. I tried by making configuration to x86 but seems it didn't worked as expected.

Is there any other thing wee need to do to compile wolfSSL for windows 7 64 bit version?

Vishal N

Share

Re: wolfSSL in OS less environment

Did you try the Visual Studio Project or something else?  What problems are you running into?

Share