626

(4 replies, posted in wolfSSL)

Hi Peter,

Thanks for using the wolfSSL forums!

I'll assume for now that you have defined "USE_CERTIFICATE_BUFFERS_2048" since you have ca_cert_der_2048 above.

ASN1 = DER = RAW (These terms can all be used interchangeably). ASN1 is just ASN1 encoding or RAW format encoding.
If you open the certificate in a text editor and it looks like junk it is safe to assume it is ASN1 or RAW or DER format.

PEM = BASE64_Encoded. Any certificate that starts with the line "-----BEGIN CERTIFICATE-----" could safely be assumed to be BASE64_Encoded or in PEM format.

I think I should use der format and write the der format like this:
static const unsigned char ca_cert_der_2048[] =
{
    0x30, 0x82, 0x04, 0xE0, 0x30, 0x82, 0x03, 0xC8, 0xA0, 0x03,
    0x02, 0x01, 0x02, 0x02, 0x09, 0x00, 0xA6, 0x66, 0x38, 0x49,
.....
Is this correct?

If so, which flag should I use in the loading command? SSL_FILETYPE_PEM ?

That is correct. Please see the header file <wolfssl-root>/wolfssl/certs_test.h for other examples. You would use the flag SSL_FILETYPE_ASN1 for a der formatted certificate.


PS. By the way, I have both PEM and DER format, maybe I should write like this to use PEM:
const unsigned char caCertificate_root[] = "-----BEGIN CERTIFICATE-----MIIFazCCA...."
or?

There is a perl script located here: <wolfssl-root>/gencertbuf.pl
That script is used to "generate certificate buffers" as indicated by the name. That script is what creates the header file <wolfssl-root>/wolfssl/certs_test.h. The script is agnostic (doesn't care if it is pem or der). Simply add one of the pem formatted certificates to the array:

@fileList_2048

and give it a new name like

my_test_pem_cert_2048

Run the perl script and see how the certificate was formatted by viewing the newly updated <wolfssl-root>/wolfssl/certs_test.h

Warm Regards,

Kaleb

Hi cxdinter,

No problem, thank you so much for using the wolfSSL forums! Please don't hesitate to reach out if you have any other questions!


Warmest Regards,

Kaleb

Hi cxdinter,

tcp_connect is the client side API for connecting to a server. To connect to the server you need to know which port the server is listening on for the protocol you intend to connect with thus the argument "port" in the API call to tcp_connect.

So for example if you were to use wolfTLSv1_2_client_method and pass in port 22 to tls_connect then you would be attempting to connect to a port on the server that supports SSH and not TLS. I would expect this to fail. If however you were to change that port number to 443, the standard port for secure http (HTTPS), I would expect this to work as long as the client and server were able to agree on a common cipher suite and the server and client both supported TLS v1.2.

Does that clear things up a bit? Client will be using an ephemeral (randomly assigned) port to send messages out from your computer. The call to tls_connect requires a port argument to know the destination port those messages will be sent to on the server. Without specifying a destination port the packets would never arrive at their intended destination.

Warm Regards,

Kaleb

Hi cxdinter,

I also wanted to point out in case it was unclear. A port and a socket are two different things. I was reviewing my response from yesterday and I never explicitly noted that. My response could be confusing if that is not clear. A socket is not a port. A port is used in the tuple to assist the server in differentiating between client connections. A socket is not used to uniquely identify a client.

Regards,

Kaleb

Hi cxdinter,

OK, you are on the client side.

I will try to clarify a bit more. When a client makes a connection to a server you don't ever assign a specific port to the client, it is assigned randomly when you create your socket (ephemeral port assignment). So you would have to create two unique sockets for the two tunnels.

The server identifies a client uniquely by a tuple. The tuple will contain the random port it was assigned. The server can differentiate between the two connections based on the tuple. So you would call connect twice as the requirement states, once per socket, and then upgrade one of the two connections to a websocket. The requirement does not mention that SNI is part of the differentiation so I think it is safe to assume it already knows how to handle this setup. The server should handle forwarding the websocket connection packets to the websocket service and the non-websocket packets to the non-websocket service.


Regards,

Kaleb

Hi cxdinter,

Could you provide further details on the project and end goals to better answer your question. It's not entirely clear.


1. Are you on the server side hosting multiple domains?
    I ask because you mentioned SNI. The use-case for SNI is you are on the server side hosting multiple domains IE:
    https://www.cats.com  (IP 123.456.78.910)
    https://www.dogs.com (IP 123.456.78.910)
    https://www.cars.com  (IP 123.456.78.910)

    Therefore you need Server Name Indication to determine which domain the client is trying to reach at that IP.

2. Are you using a web server?
    Typically a client will connect on 443 using an ephemeral port (random port). Server identifies the client uniquely based on the tuple: source ip, source port, destination ip, destination port, and protocol. Otherwise the server would only ever be able to service one client at a time, not ideal. Most servers are already set up to handle this and you should not need to concern yourself if you are not on the server side.

Your use-case is not entirely clear. The mention of SNI may be clouding your intended question. Please clarify this a little more if possible.


Regards,

Kaleb

Hi cxdinter,

During TLS communication, sometime we need to resume session, but how can we know current session is invalid or not?

The way this is accomplished is by calling wolfSSL_get_session on the ssl object. This will return a WOLFSSL_SESSION* effectively  saving the session. Then the next time you need to resume a session you would call wolfSSL_set_session with the ssl object and the saved session to resume the session. If an error code is returned that would serve as the validity check you mentioned.

The API's are:

/* returns a WOLFSSL_SESSION object on sucess or NULL on failure */
WOLFSSL_SESSION* wolfSSL_get_session(WOLFSSL* ssl);

/* returns SSL_SUCESS on success or SSL_FAILURE on failure */
int wolfSSL_set_session(WOLFSSL* ssl, WOLFSSL_SESSION* session);

Those API's wrap the internal API's "GetSession" and "SetSession" that are not exposed for external linking. Example code to look at would be in <wolfssl-root>/src/internal.c, the function "ProcessOldClientHello". When we are doing a resume session internally we use the internal API's "GetSession" and "SetSession", you would use a similar process but call the API wrapper functions "wolfSSL_get_session" and "wolfSSL_set_session" instead.

Let us know if you have any other questions!


Warm Regards,

Kaleb

633

(7 replies, posted in wolfSSL)

Hi borodatiyPupok,

I am thrilled we were able to get the executable down to an acceptable size for your needs! Thank you for using the wolfSSL support forums.


Warm Regards,

Kaleb

Hi Peter,

1) Does WolfSSL support using the PIC32MZ1024ECM064 hardware cryptographic engine?

Please see the note in README on CyaSSL Release 2.9.4 "-PIC32 MZ hardware support". It looks like this update was never added to the manual. I have made a note of it and we will try to get that section in the next Manual update.


2) Can I use Harmony Configurator to configure Wolfssl to use the PIC32MZ1024ECM064 hardware cryptographic engine?

The harmony configurator is not for configuring third party libraries, it is used to enable/disable features / support on the target platform in an automated fashion. Occasionally it will name things differently then if manually created: for example instead of "UART_WriteBuffer" the code configurator might call it "UART1_WriteBuffer" which would be incompatible with "out of the box". So there may be some customization required when using the code-configurator.

3) What does it mean with the statement in section 4.4 in the manual: "wolfSSL is able to take advantage of several hardware accelerated (or “assisted”) crypto functionalities in various processors and chips. The following sections explain
which technologies wolfSSL supports out-of-the-box.." Is there another way that is not "out of the box"?

Have you had a chance to go over the README for WOLFSSL_MICROCHIP_PIC32MZ crypto engine support? <wolfssl-root>/mplabx/README. Specifically note:

The projects are set for PIC32MX by default. For PIC32MZ, change project       
properties->Devices and add "WOLFSSL_MICROCHIP_PIC32MZ" to                     
XC32-gcc->Preprocessing and messages-> Preprocessor macros.

Please take a moment to build our pre-existing examples and get a feel for the setup. If you have any questions on those examples please let us know!


Regards,

Kaleb

Hi thomas.cornu,

Could you send us a very simple test case to reproduce what you are seeing. A short .c program with just a main function would do nicely.

Also could you send us the configure options used when building wolfSSL so we have the same setup as you used for testing.

If it's not too much trouble could you give us a little background on the project you're working on? Feel free to send project details to support@wolfssl.com if you don't want to publish in the forums.


Thanks and Regards,

Kaleb

636

(3 replies, posted in wolfSSL)

Hi will,

No problem, thank you for using the wolfSSL forums. I'm so happy we were able to assist in this matter!


- Kaleb

637

(5 replies, posted in wolfSSL)

Hi Ravi,

It's not completely clear what the end goal is here.

I have run your code as is and there is not an issue with the code other than the calls to mp_read_unsigned_bin which are internal to wolfSSL only and not designed to be used in this way. (called externally).

Please explain your desired use-case.
If there is an API that exists and does what you are attempting we will recommend use of that API. If the API does not exist for your desired use-case we'll add it to our feature request list.

Kind Regards,

Kaleb

638

(7 replies, posted in wolfSSL)

Hi borodatiyPupok,

The image you sent shows the static lib only. To see the true size of an application could you try compiling the application that will statically link to wolfssl.lib and check the resulting size of the app? The static lib will contain many portions of code that will get optimized out in an executable. Also I suspect you may be building one of the Debug builds with the size you are seeing. In MSVS go to "Build->Configuration Manager...-> set wolfssl to "Release" ".

To illustrate I'll include the build sizes I see with DEBUG and RELEASE builds and also compare the lib size to the executable size:

DEBUG BUILD for x64:

-rwx------+ 1 boz_windows None  839680 Oct 24 08:19 testsuite.exe
-rwx------+ 1 boz_windows None  608332 Oct 24 08:19 testsuite.ilk
-rwx------+ 1 boz_windows None 1338368 Oct 24 08:19 testsuite.pdb
-rwx------+ 1 boz_windows None 1940904 Oct 24 08:19 wolfssl.lib

lib           = 1,940,904 (nearly 2 Mb)
testsuite.exe = 839,680    (839K)

NOTE: The .lib is much larger than testsuite.exe but testsuite.exe is compiled with the static library. You can see much of the code was optimized out for testsuite.exe

RELEASE BUILD for x64:

-rwx------+ 1 boz_windows None  390144 Nov 14 12:46 testsuite.exe
-rwx------+ 1 boz_windows None  969728 Nov 14 12:46 testsuite.pdb
-rwx------+ 1 boz_windows None 3346028 Nov 14 12:46 wolfssl.lib

lib           = 3,346,028 (3.3 Mb)
testsuite.exe = 390,144    (390K)

Even though the .lib is larger in release mode you can see the executable is far more optimized (839k to 390k) so the size was reduced by more than half. I did these tests with the default configure settings of the windows project. Please try comparing the same with your configure settings and let me know the results.

639

(3 replies, posted in wolfSSL)

Hi will,

wolfSSL does not provide an entropy source. Instead we take advantage of entropy based on the environment the library is being compiled for. Have you defined "NO_DEV_RANDOM" perhaps? If you defined that it will cause this error to be thrown. I would encourage you to look at wolfcrypt/src/random.c and the many implementations of wc_GenerateSeed for the various platforms. Starting on or around line 1133 (look for this comment)

 /* wc_GenerateSeed Implementations */  

and going to on or around line 1590 where you encountered the error directive. Then use these as a model for writing your own version of wc_GenerateSeed if we don't support the target platform you are building for.

Which platform are you building for? Have you checked to see if it already supported?


- Kaleb

Hi will,

pthreads or POSIX threads are provided in BSD library (Unix / Linux). How did you build the library and are you on a Unix/Linux system or windows?

UNIX/LINUX:
If you are on Unix/Linux please also include <wolfssl/options.h> so you get the same settings as wolfSSL was built with.
If that doesn't resolve the issue then please got to wolfssl directory and re-run ./configure <your settings> && make check && make install (or sudo make install if using default install location).

WINDOWS:
If you are on windows you would need to include both "user_settings.h" (or if it cannot locate by default "IDE/WIN/user_settings.h") and <wolfssl/wolfcrypt/settings.h> in your project.


Kind Regards,

Kaleb

Hi wieslaws,

Error code -313 is: "FATAL_ERROR                  = -313,   /* recvd alert fatal error  */".

error codes from -100 to -299 are crypto-related and listed in <wolfssl-root>/wolfssl/wolfcrypt/error-crypt.h
error codes from -300 to -500+ are TLS/SSL related and listed in <wolfssl-root>/wolfssl/error-ssl.h

An alert fatal error could mean the client was unable to negotiate a cipher, it could mean a protocol mismatch (server using TLS v1.x and client using TLS v1.y) or it could could be the client was unable to verify the peer.

Are you able to see error codes on the client side?


Regards,

Kaleb

Hi wieslaws,

Is this code with a custom IO callback or some other function. I can say that in the case of a SSL_ERROR_WANT_READ that value should continue to try as the connect did succeed with SSL_SUCCESS but there is no data on the socket to be read.

Option 1: if you don't mind using a blocking implementation, it appears you may already have that code in a loop due to the "break;" calls I see. You could change those "break;" calls to "continue;" in the case of SSL_ERROR_WANT_READ or SSL_ERROR_WANT_WRITE, and only call "break;" if some other error occurs.

Option 2: if you're after a non-blocking solution you could create custom IO callbacks and register them with:

     wolfSSL_SetIORecv(<wolfSSL ctx>, <your custom receive function here>);                                           
     wolfSSL_SetIOSend(<wolfSSL ctx>, <your custom send function here>);

Then make sure to set the SSL Object nonblocking with:

     wolfSSL_set_fd(<ssl object>, <socket>);                                               
     wolfSSL_set_using_nonblock(<ssl object>, <socket>);

Then you could return WOLFSSL_CBIO_ERR_WANT_READ or WOLFSSL_CBIO_ERROR_WANT_WRITE and wolfSSL could keep re-trying the read until it succeeded or some other error code was returned.


Regards,

Kaleb

643

(7 replies, posted in wolfSSL)

Hi borodatiyPupok,

If that is indeed your desired use case here are some defines to get you started. You should add these to the file <wolfssl-root>\IDE\WIN\user_settings.h on your windows platform. If you are just using the library project you can place these inside the "WOLFSSL_LIB" section.

#undef  TFM_TIMING_RESISTANT
#define TFM_TIMING_RESISTANT

/* for maximum security */
#undef  WC_RSA_BLINDING
#define WC_RSA_BLINDING

#undef  NO_DSA
#define NO_DSA

/* saves some space, reference <wolfssl-root>/wolfssl/wolfcrypt/error-crypt.h 
 * for determining an error codes meaning instead.
 */
#undef  NO_ERROR_STRINGS
#define NO_ERROR_STRINGS

#undef  NO_WOLFSSL_MEMORY
#define NO_WOLFSSL_MEMORY

#undef  NO_DH
#define NO_DH

#undef  NO_AES
#define NO_AES

#undef  NO_CODING
#define NO_CODING

#undef  WOLFSSL_BASE64_ENCODE
#define WOLFSSL_BASE64_ENCODE

#undef  NO_RC4
#define NO_RC4

#undef  NO_MD5
#define NO_MD5

#undef  NO_SHA
#define NO_SHA

#undef  NO_OLD_TLS
#define NO_OLD_TLS

#undef  NO_HC128
#define NO_HC128

#undef  NO_RABBIT
#define NO_RABBIT

#undef  HAVE_HASHDRBG
#define HAVE_HASHDRBG

#undef  NO_MD4
#define NO_MD4

#undef  NO_PWDBASED
#define NO_PWDBASED

#undef  WOLFCRYPT_ONLY
#define WOLFCRYPT_ONLY

#undef  USE_FAST_MATH
#define USE_FAST_MATH

Regards,

Kaleb

644

(7 replies, posted in wolfSSL)

Hi borodatiyPupok,

Just one question before suggesting configuration settings. Do you need TLS/SSL, are you building a networked application or do you purely only need RSA key gen and RSA encrypt/decrypt? Are you expecting any other functionality whatsoever?

I also saw in manual that its possible to get a 20-100 Kb version somehow. Or its only PSK version?
What i have to do to reduce the size < 200 Kb at least?

20 Kb is PSK only, and would be very difficult to achieve with public key algorithms. To get < 200Kb we'll have to determine your use case IE answers to the above question.


Kind Regards,

Kaleb

645

(1 replies, posted in wolfSSL)

Hi ahn.woosuk,

Notice in the item you pointed to:

"Position Independent Executable: no, regular shared library (ignored)"

You have compiled the elf library (this is a shared library) but you have not created an elf executable. If my understanding of the hardening-check tool is correct, the check you pointed to is for checking an elf binary or elf executable. So to perform this check you would want to compile an application that links against the wolfSSL library and see if the result is a position independent executable.

For example this application here is not a position independent executable. The report should say "no, normal executable!" for a valid check, not "no, regular shared library (ignored)". The "ignored" is trying to tell you the check for position independent executable was an invalid check on this item.

hardening-check test.axf 
test.axf:
 Position Independent Executable: no, normal executable!
 Stack protected: no, not found!
 Fortify Source functions: unknown, no protectable libc functions used
 Read-only relocations: no, not found!
 Immediate binding: no, not found!

Out of curiousity have you done this check before on a compiled library other than wolfSSL and seen other results?


Regards,

Kaleb

646

(8 replies, posted in wolfCrypt)

Hi jellefresen,

pthreads is not something provided by wolfSSL. Pthreads stands for POSIX threads and is typically only supported in a POSIX environment.

Please see instructions on building for ARDUINO here: https://github.com/wolfSSL/wolfssl/blob … /README.md

One crucial step is to uncomment the define for WOLFSSL_ARDUINO in <wolfssl-root>/wolfssl/wolfcrypt/settings.h. This will in turn define SINGLE_THREADED which prevents our libraries from including the pthreads header file.


Regards,

Kaleb

647

(3 replies, posted in wolfSSL)

Hi will,

No problem or need to apologize! Once you've had a chance to look at the other posts, if you solve your issue please reply to this thread with which post helped and perhaps a link. If not let us know which version of CyaSSL you're working with, which server you're connecting to, and which certificate you're loading. If we can re-produce the issue, we can find a resolution to it.

Thanks for using the wolfSSL forums!


Regards,

Kaleb

648

(3 replies, posted in wolfSSL)

Hi will,

This error code is only ever returned in wc_ChaCha20Poly1305_Decrypt API. It looks like you agreed on a chacha20 poly1305 cipher suite and got a decrypt error.

Could you tell us which certificate you loaded and which "Apple site" you are connecting to so we can try to re-produce the issue?

My first suspicion is that perhaps you loaded an RSA certificate and connected with an ECC based cipher or vise versa, but it's hard to tell with so few details. Please provide the requested info and we'll try to help you with your issue.


Kind Regards,

Kaleb

649

(1 replies, posted in wolfSSL)

Hi dimax.main,

These undefined references can typically be resolved by adding semi-hosting support to your libraries. I see in the configuration you have

-nostdlib

. Ideally you could replace this by adding lib rdimon and setting the specs to rdimon.specs IE:

 -lrdimon -specs=rdimon.specs

here is a very simple example of a cross-compile script I recently used where we added semi-hosting to the project.

#!/bin/sh                                                                       

#export these items to the local environment (duration of the script)                                                                             
export CCBIN="/opt/gcc-arm-none-eabi-5_2-2015q4/bin"                            
export LIBS="-Wl,--start-group -lgcc -lc -lm -lrdimon -Wl,--end-group"          
export CCT="${CCBIN}/arm-none-eabi-"                                            
                                                                                
CFLAGS="-mcpu=cortex-m4 -mthumb -ffunction-sections -fdata-sections -MD -std=c99 -Wall -Os"
CFLAGS="${CFLAGS} -specs=rdimon.specs"                                                                                                
CFLAGS="${CFLAGS} -DUSE_SLOW_SHA -DNO_HMAC -DRSA_LOW_MEM"
CFLAGS="${CFLAGS} -DTFM_TIMING_RESISTANT -DBENCH_EMBEDDED"

#export these items to the local environment (duration of the script)
export CFLAGS="${CFLAGS}"                                                       
                                                                                
./configure --host=arm-none-eabi CC=${CCT}gcc AR=${CCT}ar --disable-shared --enable-static --disable-sha512 --enable-smallstack --disable-sha --disable-errorstrings --enable-rsa --disable-oldtls --disable-chacha --disable-poly1305 --disable-des3 --disable-md5 --enable-asn --enable-sha256 --enable-fastmath
                                              
make src/libwolfssl.la 

Feel free to use that script and modify it to your needs.


Kind Regards,

Kaleb

650

(3 replies, posted in wolfCrypt)

Hi Jesussotofan,

One final comment on this.

If you were to change the way you are getting the length of the key you could use the original key of "1234567890abcdef".

You currently are using "sizeof" which is why it's counting the null terminator or '\0' character in the length. You have two options when passing into our library:

Option 1:

ret = wc_AesSetKey(&enc, key, strlen(key), iv, AES_ENCRYPTION);

NOTE: strlen will count the length of the string MINUS the null terminator giving you a length of 16 instead of 17

Option 2:

ret = wc_AesSetKey(&enc, key, sizeof(key) - 1, iv, AES_ENCRYPTION);

NOTE: Do the same as you did originally and pass in sizeof(key) - 1. This way you don't have a hex value of 00 or '\0' included in the key.

Regards,

Kaleb