601

(5 replies, posted in wolfSSL)

Hi Peter,

I would recommend Berkley Socket Descriptor (BSD) API. That is well tested and known to work. I am not familiar with ArrayGet and ArrayPut so while I can not recommend them, they may work with a custom IO callback. However BSD API should provide you with access to "recv" and "send" in which case you could remove the define for WOLFSSL_USER_IO and use our default "EmbedReceive" and "EmbedSend" IO callbacks (loaded by default when WOLFSSL_USER_IO is not defined).


Regards,

Kaleb

602

(11 replies, posted in wolfSSL)

Hi Thomas,

-1 indicates that wolfSSL attempted to read from the socket and the read failed outright. Receive can return a non-read (0) which is not a failure, it is a successful read, but 0 bytes were waiting to be read. A -1 indicates an issue with the Receive methodology altogether, either the socket failed to be opened in the first place or there is a fundamental underlying error.

Have you registered your own IO callbacks or are you using our default "EmbedReceiveFrom" and "EmbedSendTo" functions?

Receive just calls whatever IOCallback Receive function was loaded with wolfSSL_SetIORecv API. If the user has not defined "WOLFSSL_USER_IO" and set their own callback function, then our default methods are loaded.

There are a number of reasons this could fail. What TCP/IP stack are you using? Are you checking all the return values when creating the socket? Are you confident the socket was successfully opened for TCP prior to calling wolfSSL_connect on the file descriptor?


Regards,

Kaleb

603

(10 replies, posted in wolfSSL)

Hi hyongsop,

Could you attach the certificates from the BC server?

It sounds like the BC server may be using a certificate NOT signed by the x509ca.pem you loaded with the -A option above. Perhaps it's a self-signed certificate instead of a cert signed by a CA. In which case you would want to load just the servers cert itself in the -A parameter instead of the x509-ca.pem

Either way being able to look at the Subject and Issuers lines of the certs you are using would be helpful to determine the issue.


Regards,

Kaleb

604

(10 replies, posted in wolfSSL)

Hi hyongsop,

Ok this makes sense. Thanks for the info. By default our jni client example tries to load a Certificate Revocation List (CRL) to make sure your servers certificate is not an untrusted certificate. However our test CRL is related to our test ca-cert.pem You can either remove this code block from the test Client.java

343 //            ret = ssl.enableCRL(WolfSSL.WOLFSSL_CRL_CHECKALL);                
344 //            if (ret != WolfSSL.SSL_SUCCESS) {                                 
345 //                System.out.println("failed to enable CRL check");             
346 //                System.exit(1);                                               
347 //            }                                                                 
348 //            ret = ssl.loadCRL(crlPemDir, WolfSSL.SSL_FILETYPE_PEM, 0);        
349 //            if (ret != WolfSSL.SSL_SUCCESS) {                                 
350 //                System.out.println("can't load CRL, check CRL file and date " +
351 //                        "validity");                                          
352 //                System.exit(1);                                               
353 //            }                                                                 
354 //            MyMissingCRLCallback crlCb = new MyMissingCRLCallback();          
355 //            ret = ssl.setCRLCb(crlCb);                                        
356 //            if (ret != WolfSSL.SSL_SUCCESS) {                                 
357 //                System.out.println("can't set CRL callback");                 
358 //                System.exit(1);                                               
359 //            }

Or you can generate a CRL that is related to your new ca (certs/bc/x509-ca.pem). To see how we generate our test CRL please see the script in <wolfssl-root>/certs/crl/gencrls.sh.


Regards,

Kaleb

605

(10 replies, posted in wolfSSL)

Hi hyongsop,

It sounds like you have used our test certificates in JNI server and connected the wolfJNI server with the BC client and that works.

Then you tried connecting to BC server with wolfJNI client and that did not work but instead returned a -188 error correct?


If that is the case you have two options:

#1 You need to procure the certificate authority for the BC server, copy it over to linux and load it into the wolfJNI client with these options:

-u -v 2 -A <path-to>/BC-CA-certificate.pem

#2 You can opt to disable peer authentication just to see if the connection is working with these options:

-u -v 2 -d

By default wolfSSL clients try to always authenticate the peer server as this should be "default" behavior for "best" security practices. It sounds like you did not have to copy our ca-cert.pem over to windows BC client before testing that connection so I would assume they are not doing peer authentication by default. That is not good security practice and I would recommend against following this pattern of behavior if that is indeed the case.

Warm Regards,

Kaleb

606

(1 replies, posted in wolfSSL)

Hi Hyong,

Thank you for reaching out to us and using the wolfSSL forums!

I regret the wolfJNI package is only supported on Linux or Mach at this time. We placed that error intentionally as a sort of "hint" to that effect. We would be happy to explore a consulting effort to port to windows if you need it right away or are unable to port it yourself.

Unfortunately there is not enough demand from the community to justify prioritizing this effort above other paid work. We always desire to support our community and are torn we can not offer to do the port immediately. I hope you can appreciate our need to prioritize work accordingly.

I have added this to the list of requested features on your behalf. To prevent any confusion on the matter I feel obligated to express there is no delivery date associated with this request and our feature request list is quite long. It may be some time before we get around to supporting wolfJNI on windows.


Warmest Regards,

Kaleb

607

(1 replies, posted in wolfSSL)

Hi supersnatch,

wolfSSL has been around since 2006 and we are not going anywhere anytime soon. wolfSSL started out as SawTooth consulting and our co-founder and CTO created the product "yaSSL" which stood for "yet another SSL". yaSSL was written entirely from scratch and based on no other existing SSL implementation. It was written in C++ for MySQL use.

Since that time there was high demand in the embedded space for an SSL solution so our co-founder and CTO re-wrote yaSSL a second time, from the ground up, in the C language. He called it "CyaSSL" this time for "yet another SSL written in C". We re-branded the product in 2014 to wolfSSL and here we are today.

wolfSSL, on average, puts out a new release every 3 months, or 4 releases per year. Occasionally we will do interim releases if a particular feature is in high demand and we want to get it to market as soon as possible. wolfSSL currently has more engineers focused on SSL/TLS than any other security company and we are an Engineer based company!

wolfSSL employs, on average, 2 engineers for every sales / admin employee. Our company goal is to always provide the latest and support the latest that anyone else is working on. Please follow our blog for more info! https://www.wolfssl.com/wolfSSL/Blog/Blog.html

All of this sums up to... (To put it in your words): "A lot of update" and the community in upgrade!


Warm Regards,

Kaleb and the wolfSSL Team

608

(5 replies, posted in wolfSSL)

Hi Jinu,

See reply to zendesk ticket, but I just found out one of our engineers is currently working on a STM32F4 example, it has not made it into the repo yet. I'll get you an update when I have had a chance to touch base with him.


Warm Regards,

Kaleb

609

(3 replies, posted in wolfSSL)

Hi wolfGang,

MPLAB harmony will re-compile the project every time. It compiles a binary that is then flashed to the device. You can update the <wolfssl-root>/wolfssl/wolfcrypt/settings.h header and re-compile to change functionality.

Warm Regards,

Kaleb

610

(3 replies, posted in wolfCrypt)

Hi Iguananaut,

Thank you for your feedback! We are always looking to improve our documentation and are very appreciative whenever we receive feedback of this nature from the community. I have updated that section in the manual to the following:

wc_AesCtrEncrypt
Synopsis:
#include <wolfssl/wolfcrypt/aes.h>

void wc_AesCtrEncrypt(Aes* aes, byte* out, const byte* in, word32 sz);

Description:
Encrypts/Decrypts a message from the input buffer in, and places the resulting cipher text in the output buffer out using CTR mode with AES. This function is only enabled if WOLFSSL_AES_COUNTER is enabled at compile time. The AES structure should be initialized through AesSetKey before calling this function. Note that this function is used for both decryption and encryption.

Return Values:
No return value for this function.
Parameters:
aes - pointer to the AES object used to decrypt data
out - pointer to the output buffer in which to store the cipher text of the encrypted message
in - pointer to the input buffer containing plain text to be encrypted
sz - size of the input plain text

NOTE: Regarding using same API for encryption and decryption.
    User should differentiate between Aes structures for encrypt/decrypt.

Example:
Aes enc;
Aes dec;
/* initialize enc and dec with AesSetKeyDirect, using direction AES_ENCRYPTION
* since the underlying API only calls Encrypt and by default calling encrypt on
* a cipher results in a decryption of the cipher
*/

byte msg[AES_BLOCK_SIZE * n]; //n being a positive integer making msg some multiple of 16 bytes
// fill plain with message text
byte cipher[AES_BLOCK_SIZE * n];
byte decrypted[AES_BLOCK_SIZE * n];

wc_AesCtrEncrypt(&enc, cipher, msg, sizeof(msg)); // encrypt plain
wc_AesCtrEncrypt(&dec, decrypted, cipher, sizeof(cipher)); // decrypt cipher text

See Also:
wc_AesSetKey

These changes will be reflected the next time the website is updated.


Warm Regards,

Kaleb

611

(3 replies, posted in wolfSSL)

Hi wolfGang,

There are many examples of creating new custom defines in the file

<wolfssl-root>/wolfssl/wolfcrypt/settings.h

When creating a new custom define section we place a commented out option at the top of the settings header file and note to uncomment that single define if you wish to use it.

Then we create a subsection for the define that contains all the various global configure options that pertain to operating environment.

To control features it is customary to define "WOLFSSL_USER_SETTINGS" at the project level. Then add a file named "user_settings.h" to your include path and use this header for enabling/disabling specific features. To see examples of this please have a look at the user_settings.h header files used in several of our examples:

<wolfssl-root>/IDE/IAR-EWARM/embOS/custom_port/custom_port_user_settings/user_settings.h
<wolfssl-root>/IDE/IAR-EWARM/embOS/SAMV71_XULT/embOS_SAMV71_XULT_user_settings/user_settings.h
<wolfssl-root>/IDE/IAR-EWARM/Projects/user_settings.h
<wolfssl-root>/IDE/iOS/user_settings.h
<wolfssl-root>/IDE/LPCXPRESSO/lib_wolfssl/user_settings.h
<wolfssl-root>/IDE/MDK5-ARM/Conf/user_settings.h
<wolfssl-root>/IDE/MDK5-ARM/Projects/CryptBenchmark/RTE/wolfSSL/user_settings.h
<wolfssl-root>/IDE/MDK5-ARM/Projects/CryptTest/RTE/wolfSSL/user_settings.h
<wolfssl-root>/IDE/MDK5-ARM/Projects/EchoClient/RTE/wolfSSL/user_settings.h
<wolfssl-root>/IDE/MDK5-ARM/Projects/EchoServer/RTE/wolfSSL/user_settings.h
<wolfssl-root>/IDE/MDK5-ARM/Projects/SimpleClient/RTE/wolfSSL/user_settings.h
<wolfssl-root>/IDE/MDK5-ARM/Projects/SimpleServer/RTE/wolfSSL/user_settings.h
<wolfssl-root>/IDE/MDK5-ARM/Projects/wolfSSL-Full/RTE/wolfSSL/user_settings.h
<wolfssl-root>/IDE/MDK5-ARM/Projects/wolfSSL-Lib/RTE/wolfSSL/user_settings.h
<wolfssl-root>/IDE/ROWLEY-CROSSWORKS-ARM/user_settings.h
<wolfssl-root>/IDE/WIN/user_settings.h


Warm Regards,

Kaleb

612

(3 replies, posted in wolfCrypt)

Hi mohammad,

If my understanding of your question was off I apologize. I am happy to hear the suggested API addressed your needs.


Warm Regards,

Kaleb

Hi k77,

ECC_SECP256R1 is a valid curve-id
ECC_CURVE_DEF (ECC CURVE DEFAULT) is a flag that tells our library to iterate through the list of SECP or NIST DEFAULT curves.


Warm Regards,

Kaleb

614

(3 replies, posted in wolfCrypt)

Hi mohammad,

To verify a given key you would use the API

wc_ecc_check_key(ecc_key* key);

which takes just the key as an argument. There is no need to extract curve/point for this.

A given point is not tied to any one curve, so to validate a key with a given point you need to already know which curve is being used to validate against. Therefore a curve can not be derived from a given point.

Could you tell us a little more about your project and the need to parse point to struct before calling "wc_ecc_check_key"?


Warm Regards,

Kaleb

615

(4 replies, posted in wolfCrypt)

Hi malikfehan123,

Have you seen our guide for building with TIRTOS found here: https://github.com/wolfSSL/wolfssl-exam … /README.md

Other resources found here: http://processors.wiki.ti.com/index.php … th_TI-RTOS


Warm Regards,

Kaleb

Hi gavinfred,

One other note, we have a define for WOLFSSL_ARDUINO in <wolfssl-root>/wolfssl/wolfcrypt/settings.h that may be helpful if you hadn't seen that yet and also an issue here that might be helpful as well.

https://github.com/wolfSSL/wolfssl/issues/539


Regards,

Kaleb

617

(4 replies, posted in wolfCrypt)

Hi milikfehan123,

Please define WOLFSSL_SHA512 as well. SHA384 depends on SHA512.


Warm Regards,

Kaleb

Hi gavinfred,

We have not ported to the esp8266 yet. Have you had a chance to review our porting guide when building for a new platform?

https://wolfssl.com/wolfSSL/Docs-wolfss … guide.html

That will address all the issues you just noted:

C:\Users\gavin\AppData\Local\Temp\build1361818746455674135.tmp\wolfssl-master\asn.c.o: In function `CheckCurve':
D:\arduino-1.6.5-r5-windows\arduino-1.6.5-r5\libraries\wolfssl-master/asn.c:3473: undefined reference to `__ctype_ptr__'

It looks like you may need to include libc with the flag `-libc`
If you already have libc then try re-installing your toolchain.

.

C:\Users\gavin\AppData\Local\Temp\build1361818746455674135.tmp\wolfssl-master\asn.c.o: In function `ExtractDate':
D:\arduino-1.6.5-r5-windows\arduino-1.6.5-r5\libraries\wolfssl-master/asn.c:3473: undefined reference to `gmtime'
C:\Users\gavin\AppData\Local\Temp\build1361818746455674135.tmp\wolfssl-master\asn.c.o: In function `ValidateDate':
D:\arduino-1.6.5-r5-windows\arduino-1.6.5-r5\libraries\wolfssl-master/asn.c:3473: undefined reference to `gmtime'

See section:

2.9  Time
Necessary when standard time functions are not available, or you need to define a custom clock tick function.

.

C:\Users\gavin\AppData\Local\Temp\build1361818746455674135.tmp\wolfssl-master\random.c.o: In function `wc_RNG_HealthTestLocal':
D:\arduino-1.6.5-r5-windows\arduino-1.6.5-r5\libraries\wolfssl-master/random.c:556: undefined reference to `random'
C:\Users\gavin\AppData\Local\Temp\build1361818746455674135.tmp\wolfssl-master\random.c.o: In function `wc_GenerateSeed':
D:\arduino-1.6.5-r5-windows\arduino-1.6.5-r5\libraries\wolfssl-master/random.c:556: undefined reference to `random'
collect2.exe: error: ld returned 1 exit status

See section:

2.7  Random Seed
Necessary if either /dev/random or /dev/urandom is not available or you want to integrate into a hardware RNG.


Best Regards,

Kaleb

619

(4 replies, posted in wolfSSL)

Hi Peter,

Thanks for posting your findings so others may find it useful in the future.


Warm Regards,

Kaleb

620

(2 replies, posted in wolfSSL)

Hi mohammad.abomokh,

For example usage please see file <wolfssl-root>/wolfcrypt/test/test.c and in the "aes_test()" function see section wrapped in:

 #ifdef WOLFSSL_AES_COUNTER

Also including excerpt from "chapter 18: wolfCrypt API Reference" of the wolfSSL Manual: https://www.wolfssl.com/wolfSSL/Docs-wo … i-aes.html


wc_AesCtrEncrypt
Synopsis:
#include <wolfssl/wolfcrypt/aes.h>

void wc_AesCtrEncrypt(Aes* aes, byte* out, const byte* in, word32 sz);

Description:
Encrypts/Decrypts a message from the input buffer in, and places the resulting cipher text in the output buffer out using CTR mode with AES. This function is only enabled if WOLFSSL_AES_COUNTER is enabled at compile time. The AES structure should be initialized through AesSetKey before calling this function. Note that this function is used for both decryption and encryption.

Return Values:
No return value for this function.

Parameters:
aes - pointer to the AES object used to decrypt data
out - pointer to the output buffer in which to store the cipher text of the encrypted message
in - pointer to the input buffer containing plain text to be encrypted
sz - size of the input plain text

Example:
Aes enc_dec;
// initialize enc_dec with AesSetKeyDirect, using direction AES_ENCRYPTION

byte msg[AES_BLOCK_SIZE * n]; //n being a positive integer making msg some multiple of 16 bytes
// fill plain with message text
byte cipher[AES_BLOCK_SIZE * n];
byte decrypted[AES_BLOCK_SIZE * n];

wc_AesCtrEncrypt(&enc_dec, cipher, msg, sizeof(msg)); // encrypt plain
wc_AesCtrEncrypt(&enc_dec, decrypted, cipher, sizeof(cipher)); // decrypt cipher text

See Also:
wc_AesSetKey

Regards,

Kaleb

Hi k77,

I believe the API's you are looking for will be defined in <wolfssl-root>/wolfssl/wolfcrypt/ecc.h since it is Elliptic Curve Diffie Helman and not just Diffie Helman (see section #ifdef HAVE_ECC_DHE in ecc.h header file). For creating a new key from scratch wc_ecc_make_key_ex (extended) should be used to address two of your questions as you can pass in specific curve to the extended API.

For the other parts of your question it's not entirely clear if you are trying to load in the key to wolfcrypt or if you are at the point in the algorithm where you have received the public key from the trusted execution environment and wish to generate a shared secret for passing information securely.

To generate a shared secret please use ecc_shared_secret. To load a key into wolfcrypt please the corresponding ecc_import API. (See section #ifdef HAVE_ECC_KEY_IMPORT in ecc.h header for list of API's)


Best Regards,

Kaleb

Hi cxdinter,

We have received a few inquiries of this nature over the years. To be absolutely clear let me express that this is

HIGHLY NOT RECOMMENDED by wolfSSL. This can open yourself up to attacks and in general is a bad idea. We can not express how strongly we do not recommend doing what you are requesting. To convey our concern let me provide a real world example.

A certificate belonging to the domain comehereforfreemoney.com is currently on the Certificate Revocation List (CRL) because if you visit that domain it will install a virus on your computer or do some other malicious thing. Once the certificate belonging to that domain expires it drops off the CRL and you can no longer tell it's a certificate belonging to a malicious domain by checking it against the CRL. You decide to trust it because you ignore the date and the CRL is checked and comes back with an OK status since that certificate is no longer tracked by the CRL. Your connection is allowed and you end up with a virus or other malicious behavior is performed due to the approved connection.


Now that you are briefed on the potential pitfalls of ignoring date checks:

Due to the requests over the years we have provided an example of doing this in <wolfssl-root>/wolfssl/test.h

The function "myDateCb" can be used as a model for achieving your desired use-case.
You would create your own custom callback similar to myDateCb and then register that "verify callback" with the API "wolfSSL_CTX_set_verify". Then whenever a verify is performed it will use your callback instead of the default one in wolfSSL.

Example:

int myCustomVerifyFunction(int preverify, WOLFSSL_X509_STORE_CTX* store);


int myCustomVerifyFunction(int preverify, WOLFSSL_X509_STORE_CTX* store)
{
    /* Model after myDateCb from <wolfssl-root>/wolfssl/test.h */
    /* return 1 for success */
    /* return 0 for failures */
}


... application code ...
wolfSSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, myCustomVerifyFunction);
... application code ...

Regards,

623

(7 replies, posted in wolfSSL)

We don't currently have an example of using the I/O callbacks with memory buffers.  If you were using memory buffers, you might have your own custom structure which contains pointers to buffers and members to hold sizes of the buffers.

Hi everyone, we now have an io-callback example using memory buffers. The example has both client and server in the same file and uses memory buffers to perform TLS handshake.

Example is here: https://github.com/wolfSSL/wolfssl-exam … mory-tls.c

Regards,

wolfSSL Team

624

(3 replies, posted in wolfSSL)

Hi khan92,

My apologies, I will also try to be clearer:

wolfSSL takes every effort to support any operating system and environment. We also make an effort to provide functionality that will allow any OS/environ we do not currently support, to be ported somewhat easily. To facilitate this portability, by default wolfSSL uses what is called a Custom In/Out Callback function(CustomIOCallback). The call chain is like this:

wolfSSL_read ->wolfSSL_read_internal -> ReceiveData -> (various paths) -> GetInputData -> Receive -> CustomIOCallback

You can register any custom IO callback you want to with the API's:

wolfSSL_SetIORecv(ctx, <your custom Receive function name here>);                                           
wolfSSL_SetIOSend(ctx, <your custom Send function name here>);

So to have wolfSSL_read be the equivalent of ANY input functionality, you write your custom IO receive callback to use the desired input functionality. In this case you desire wolfSSL_read to use a custom callback that calls readmsg() instead of some other input function.

I just opened a PR yesterday with example client and servers where wolfSSL_read actually reads out of a file and wolfSSL_write writes to a file. The client and server perform a TLS connection through the file system instead of using sockets. These examples are currently in a PR but should soon be merged. Please feel free to use them as a guide for your work.

https://github.com/wolfSSL/wolfssl-examples/pull/34


Warmest Regards,

Kaleb

625

(3 replies, posted in wolfSSL)

Hi khan92,

The equivalent API call in wolfSSL is defined in <wolfssl-root>/wolfssl/ssl.h:

WOLFSSL_API int  wolfSSL_read(WOLFSSL*, void*, int);

For simple examples that demonstrate this API in use please see our example client/server here:

https://github.com/wolfSSL/wolfssl-exam … rver-tls.c
https://github.com/wolfSSL/wolfssl-exam … ient-tls.c

Regards,

Kaleb