Hi pstudni,
A commit has been made to address your issue. Please find here: https://github.com/wolfSSL/wolfssl/pull/544
Kind Regards,
- Kaleb
You are not logged in. Please login or register.
Please post questions or comments you have about wolfSSL products here. It is helpful to be as descriptive as possible when asking your questions.
ReferenceswolfSSL - Embedded SSL Library → Posts by Kaleb J. Himes
Hi pstudni,
A commit has been made to address your issue. Please find here: https://github.com/wolfSSL/wolfssl/pull/544
Kind Regards,
- Kaleb
Hi ravi.kumar,
Just as a followup I'll be discussing this with my colleagues and see if there is a fix we might introduce if the original format you sent is RFC compliant as well. We'll be doing some further investigation on this case for sure however testing multiple things and to fix the issue your currently facing it's easy enough to do as noted above and using the re-formatted "private_key_try2.pem".
openssl rsa -inform pem -in private_key.pem -outform pem -out private_key_try2.pem
I have verified the resulting "private_key_try2.pem" contains all the correct information, the modulus, privateExponent, prime1, prime2, exponent1, exponent2, and coefficient are all still the same, the only thing that changes is the hex representation of the key in the .pem file (the .pem format is the only thing that is modified).
We still look forward to hearing from you on how this key was generated / where it came from.
Kind Regards,
- Kaleb
Hi ravi.kumar,
The key is improperly formatted. I'm honestly surprised openssl is able to parse it. Just do this command and compare the outputs:
openssl rsa -inform pem -in private_key.pem -outform pem -out private_key_try2.pem
now diff the two files and you'll see they do not match in any way. If you do the same command on our existing ca-key.pem in the <wolfssl-root>/certs directory:
openssl rsa -inform pem -in ca-key.pem -outform pem -out ca-key_try2.pem
and diff those two files they remain identical in every way. Could you tell us where you got that RSA key you are using and how it was generated?
Fix for your issue is to use the resulting "private_key_try2.pem" from the command above. That is RFC compliant formatting and our libraries process it just fine.
Kind Regards,
Hi Snuggle,
I wanted to send you a guide on how this might be accomplished. Please find attached.
Kind Regards,
Kaleb
Hi Subhash,
The following is the response from Texas Instruments:
Hi Kaleb,
We have added a new TLS module which supports multiple SSL stacks that TI supports including WolfSSL. This module is in a sub product ns_1_11_00_10 under TI-RTOS/products. The release notes of the sub-product documents the change.
Yes, the wiki “Using wolfSSL with TI-RTOS” still states the v2.14.04.31 as we still document the steps for building libraries for older wolfSSL using older TI-RTOS.
- End quote from TI
I hope this helps in your decision making process.
Regards,
Kaleb
Hi Subhash,
I have checked both the release notes for the version and the wiki page here:
http://processors.wiki.ti.com/index.php … th_TI-RTOS
From what I can tell there is no change other than the wolfSSL+TI-RTOS libraries can now be built with the .mak in <wolfssl_root>/tirtos and no longer have to be built with the .mak in C:\ti\tirtos_tivac_xxxxxxx\tirtos.mak
I am working to confirm this is the case and will let you know as soon as I find out.
Regards,
Kaleb
Hi Subhash,
I am looking into this and will get back to you as soon as I have any information.
Regards,
Kaleb
Hi Everyone,
It has recently been realized that at some point the rules to make wolfssl went missing from the tirtos.mak distributed in tirtos_tivac_x_xx_xx_xx. We are not sure yet which versions specifically have been effected but I can confirm this in tirtos_tivac_2_16_00_08.
If you add the following rules back in to tirtos_tivac_x_xx_xx_xx/tirtos.mak you should be good to go with the guide found here: https://github.com/wolfSSL/wolfssl-exam … /README.md
wolfssl:
@ echo building wolfssl ...
@ $(XDCTOOLS_INSTALL_DIR)/gmake -f $(WOLFSSL_TIRTOS_DIR)/wolfssl.mak \
XDC_INSTALL_DIR=$(XDCTOOLS_INSTALL_DIR) \
SYSBIOS_INSTALL_DIR=$(BIOS_INSTALL_DIR) \
NDK_INSTALL_DIR=$(NDK_INSTALL_DIR) \
WOLFSSL_INSTALL_DIR=$(WOLFSSL_INSTALL_DIR) \
TIRTOS_INSTALLATION_DIR=$(TIRTOS_INSTALL_DIR) \
$(XDCARGS) -C $(WOLFSSL_TIRTOS_DIR)
clean-wolfssl:
@ echo cleaning wolfssl ...
@ $(XDCTOOLS_INSTALLATION_DIR)/gmake -f $(WOLFSSL_TIRTOS_DIR)/wolfssl.mak \
XDC_INSTALL_DIR=$(XDCTOOLS_INSTALLATION_DIR) \
SYSBIOS_INSTALL_DIR=$(BIOS_INSTALLATION_DIR) \
NDK_INSTALL_DIR=$(NDK_INSTALLATION_DIR) \
WOLFSSL_INSTALL_DIR=$(WOLFSSL_INSTALLATION_DIR) \
TIRTOS_INSTALLATION_DIR=$(TIRTOS_INSTALLATION_DIR) \
-C $(WOLFSSL_TIRTOS_DIR) clean
I also updated the example tirtos.mak here to reflect these new rules: https://github.com/wolfSSL/wolfssl-exam … tirtos.mak
Regards,
Kaleb
Hi lwatcdr,
Have you read our documentation in the manual on certificate usage? https://wolfssl.com/wolfSSL/Docs-wolfss … cates.html
Have you seen our examples on github https://github.com/wolfSSL/wolfssl-exam … rtmanager?
Have you looked at the usage example in wolfcrypt/test/test.c?
All of these may be extremely useful in assisting you with your project!
Can I get the public key out of the WOLFSSL_CTX structure after I do a load verify buffer?
It is possible.
The WOLFSSL_CTX Structure contains a WOLFSSL_CERT_MANAGER* cm;
ctx->cm
The CERT_MANAGER contains a Signer* caTable[CA_TABLE_SIZE]
ctx->cm->caTable
and whichever Signer contains the byte* public key you desire to extract.
ctx->cm->caTable[<whichever signer>]->publicKey
Can I pass the PEM data to InitDecodedCert and get the cert and then get the public key out of that?
No. As the API suggests this is "Initializing" a decoded certificate. So it is setting every value of the certificate structure to 0, or some default value. It is not actually decoding anything yet. It is just initializing the structure so it is not NULL.
Can I convert the PEM in memory to a DER then use InitDecodedCert to get the cert?
Again no. InitDecodedCert does not convert or decode anything. I believe you are looking for the function: "ParseCert"
Regards,
- Kaleb
Hi rskkya,
Depending on how you did the make and make install steps if you are able to include <wolfssl/options.h> that is guaranteed to give you the exact same settings as wolfssl was configured with. My apologies I should have suggested this first.
If however wolfssl/options.h is unavailable then you should incude wolfssl/wolfcrypt/settings.h as an alternate.
Regards,
- Kaleb
Hi rskkya,
It just sounds like there is a disagreement between the wolfssl libraries and your project. You have defined FREERTOS in the configuration of the wolfssl libraries so all the relevant portions of code were added to the libraries that you are now linking against however it sounds like your project does not have FREERTOS defined.
In your project could you try including <wolfssl/wolfcrypt/settings.h> and then your project will get the define for FREERTOS as well (since as you stated previously you had uncommented that define).
Regards,
-Kaleb
Hi rskkya,
Other CFLAGS you may want to play with include:
-mthumb
-ffunction-sections
-fdata-sections
-MD
-std=c99
-Wall
Alternate library in place of lrdimon:
-lnosys
(and add -specs=nosys.specs to CFLAGS and remove -specs=rdimon.specs)
Regards,
- Kaleb
Hi rskkya,
You have:
./configure LIBS="-lc -lm -lgcc -lrdimon" CPPFLAGS="-I/usr/include/" --disable-examples --enable-aesgcm --enable-camellia --enable-sha512 --enable-keygen --enable-certgen --enable-dsa --enable-ecc --host=arm-none-eabi CC= arm-none-eabi-gcc AR=arm-none-eabi-ar RANLIB=arm-none-eabi-ranlib --build= x86-linux-64 march=armv7 mcpu=cortex-m3
could you try also setting the assembly language compiler:
AS=arm-none-eabi-gcc
could you try also setting the Linker/loader:
LD=arm-none-eabi-ld
could you try adding the following to CFLAGS:
-specs=rdimon.specs
-O0 (that is a capital "OH" and a zero for optimization level 0)
-DFREERTOS
If you intend to do any debugging you can add the "-g" flag for debug symbols to CFLAGS as well.
so you should end up with something like this:
./configure LIBS="-lc -lm -lgcc -lrdimon" CPPFLAGS="-I/usr/include/" --disable-examples --enable-aesgcm --enable-camellia --enable-sha512 --enable-keygen --enable-certgen --enable-dsa --enable-ecc --host=arm-none-eabi CC= arm-none-eabi-gcc AR=arm-none-eabi-ar RANLIB=arm-none-eabi-ranlib AS=arm-none-eabi-gcc LD=arm-none-eabi-ld --build= x86-linux-64 march=armv7 mcpu=cortex-m3 CFLAGS="${CFLAGS} -DFREERTOS -O0 -specs=rdimon.specs"
If you still have issues after trying these changes let us know.
NOTE: If you define FREERTOS wolfSSL will look for various header files including FreeRTOS.h FreeRTOSConfig.h etc. You can add multiple include paths to get these headers for example above you had:
CPPFLAGS="-I/usr/include/"
Just extend that to be:
CPPFLAGS="-I/usr/include/ -I/path/to/FreeRTOS.h -I/path/to/FreeRTOSConfig.h -I/any/other/header/paths/etc"
Regards,
- Kaleb
Hi an.schall,
We haven't heard back from you in awhile I just wanted to confirm that you were able to get your project working. If not let us know and we'll see if there is anything further we can do to assist you.
Regards,
- Kaleb
Hi an.scall,
Have you seen our README on github for building TIRTOS with wolfSSL? I noticed you edited the .mak in our directory. Rather you should be modifying the .mak in ti/ directory.
You can find the README here: https://github.com/wolfSSL/wolfssl-exam … /README.md
I just worked through those same steps but instead of using
C:\
file paths I used
/home/khimes/ti
and
/home/khimes/wolfssl
.
Everything worked beautifully for setting up and building the tcpEchoTLS example provided by TI in their examples repo. There would be a lot of modifications required to get our examples off github working in Linux. That is something I plan to do in the future but have not had time to work on yet. However the readme will get you going on Linux.
Best Regards,
- Kaleb
Hi help_seeker,
I see you resolved your issue. Apologies we didn't get to your question sooner, busy week. You are correct the -b option will allow the server to "bind to any interface" rather than just local host.
It may be advantageous in your testing to also use the -d option to disable client authentication. Real world servers rarely do client auth.
Regards,
- Kaleb
Hi kranthi,
You said the return code is not MP_OKAY, can you tell us what the return code is that you are seeing?
Regards,
- Kaleb
Hi an.schall,
I will be taking a look at this as soon as I have a chance. Been a little busy here this week, I just wanted to let you know I have seen/am aware of your question I am just trying to find time to give it the attention it deserves. Will get back to you ASAP.
Best Regards,
- Kaleb
Hi Michael,
Sounds like a good plan. We look forward to hearing your progress. For a more private channel (posting logs and traces) feel free to open a ticket by sending an email to support@wolfssl.com or via zendesk directly.
Best Regards,
- Kaleb
Hi Michael,
Since that did not help the run-time functionality of your state machine, it would be helpful for us to go over the logs you mentioned previously. Additionally a glance at the wireshark trace is often helpful but I understand if you have sensitive information wanting to sanitize those first.
If you only wish to sanitize for cleanliness you can send us the whole capture and identify the relevant IP address(s) so we can filter out only the stream in question. I leave this to your discretion.
Best Regards,
- Kaleb
Hi Michael,
From previous experience with similar issues IE "fails but not when run in the debugger" my first thought is that the state machine is not handling the threads properly. Could you configure wolfSSL with SINGLE_THREADED defined and see if that resolves the issue?
If it does you may need to implement some form of mutual exclusion / locking mechanism in the state machine if using wolfSSL in a multi-threaded fashion.
I look forward to your results.
Regards,
- Kaleb
Hi Steve,
No problem. It was a good proof for us to work through on our end as well. Thank you for your question.
Best Regards,
Kaleb
Hi gawiz,
Our mp_int structure is laid out as seen below. You can view this structure in <wolfssl_root>/wolfssl/wolfcrypt/integer.h
/* the infamous mp_int structure */
typedef struct {
int used, alloc, sign;
mp_digit *dp;
} mp_int;
The Visual Studio compiler is complaining that the mp_digit pointer (dp) is potentially not initialized. By assigning 0x0 to this pointer at the time of declaration you can silence this warning. I would add a comment to note this is only to silence an MSVS static analysis warning.
I did the following in integer.c:
static int mp_div_d (mp_int * a, mp_digit b, mp_int * c, mp_digit * d)
{
mp_int q;
q.dp = NULL;
... rest of the function here ...
}
Evaluating this thoroughly we have proven it can never be "uninitialized" by the time the assignment takes place. This is a false positive from MSVS.
Proof follows:
if c IS NOT NULL the mp_init_size will initialize q and malloc q.dp
The first time q is used if c IS NULL (outside the first if block) is in the for loop.
The value of c can not change between if block and for loop.
the value of c can not change within the for loop
before q is used in the for loop (the line MSVS complains about) c is again evaluated
if c IS NULL q will not be used / cannot be used "uninitialized"
we can conclude the following:
q is used iff c != NULL.
if c != NULL q is initialized in the if block (line 4096 below)
c cannot become NULL between if block and for loop,
therefore q.dp can never be used uninitialized.
4096 if (c != NULL) {
4097 if ((res = mp_init_size(&q, a->used)) != MP_OKAY) {
4098 return res;
4099 }
4100
4101 q.used = a->used;
4102 q.sign = a->sign;
4103 }
4104
4105 w = 0;
4106 for (ix = a->used - 1; ix >= 0; ix--) {
4107 w = (w << ((mp_word)DIGIT_BIT)) | ((mp_word)a->dp[ix]);
4108
4109 if (w >= b) {
4110 t = (mp_digit)(w / b);
4111 w -= ((mp_word)t) * ((mp_word)b);
4112 } else {
4113 t = 0;
4114 }
4115 if (c != NULL)
4116 q.dp[ix] = (mp_digit)t;
4117 }
Best regards,
Kaleb
Hi gawiz,
I added the configure option WOLFSSL_KEY_GEN and I was able to reproduce your warning. I will have a suggestion shortly.
Regards,
Kaleb
(Non-helpful response removed by kaleb)
wolfSSL - Embedded SSL Library → Posts by Kaleb J. Himes
Powered by PunBB, supported by Informer Technologies, Inc.
Generated in 0.047 seconds (58% PHP - 42% DB) with 4 queries