Hi alexander79,

I can not fix your code unfortunately. I have never worked in or with C++ or C# unfortunately and cannot get your code to compile in a reasonable amount of time. What I will do is post two examples of an example client and server in our examples directory on github. You can view the code there and try to translate that into your working language/environment.

Link to client: https://github.com/wolfSSL/wolfssl-exam … ls-ecdhe.c

Link to server: https://github.com/wolfSSL/wolfssl-exam … ls-ecdhe.c

I am also including a diff of the base client with the ecdh additions so you can see what changes were made:

Client diff:

--- client-tls.c    2015-08-28 14:02:17.000000000 -0600
+++ client-tls-ecdhe.c    2015-08-28 13:44:15.000000000 -0600
@@ -23,12 +23,14 @@
 #include    <string.h>
 #include    <errno.h>
 #include    <arpa/inet.h>
+#include    <wolfssl/options.h>
 #include    <wolfssl/ssl.h>          /* wolfSSL security library */
+#include    <wolfssl/test.h>
 
 #define MAXDATASIZE  4096           /* maximum acceptable amount of data */
 #define SERV_PORT    11111          /* define default port number */
 
-const char* cert = "../certs/ca-cert.pem";
+const char* cert = "../certs/server-ecc.pem";
 
 /*
  * clients initial contact with server. (socket to connect, security layer)
@@ -68,6 +70,10 @@
     WOLFSSL_CTX* ctx;
     WOLFSSL*     ssl;    /* create WOLFSSL object */
     int         ret = 0;
+    const char* myCert        = "../certs/client-ecc-cert.pem";
+    const char* myKey         = "../certs/ecc-client-key.pem";
+    char* cipherList          = "ECDHE-ECDSA-CHACHA20-POLY1305";
+    char buffer[WOLFSSL_MAX_ERROR_SZ];
 
     wolfSSL_Init();      /* initialize wolfSSL */
 
@@ -77,11 +83,25 @@
         return EXIT_FAILURE;
     }
 
+    if (wolfSSL_CTX_set_cipher_list(ctx, cipherList) != SSL_SUCCESS)
+            err_sys("client can't set cipher list 1");
+
+    if (wolfSSL_CTX_use_certificate_chain_file(ctx, myCert)
+                                                               != SSL_SUCCESS)
+            err_sys("can't load client cert file, check file and run from"
+                    " wolfSSL home dir");
+
+    if (wolfSSL_CTX_use_PrivateKey_file(ctx, myKey, SSL_FILETYPE_PEM)
+                                         != SSL_SUCCESS)
+            err_sys("can't load client private key file, check file and run "
+                    "from wolfSSL home dir");
+
     /* load CA certificates into wolfSSL_CTX. which will verify the server */
     if (wolfSSL_CTX_load_verify_locations(ctx, cert, 0) != SSL_SUCCESS) {
         printf("Error loading %s. Please check the file.\n", cert);
         return EXIT_FAILURE;
     }
+
     if ((ssl = wolfSSL_new(ctx)) == NULL) {
         printf("wolfSSL_new error.\n");
         return EXIT_FAILURE;
@@ -91,8 +111,14 @@
     ret = wolfSSL_connect(ssl);
     if (ret == SSL_SUCCESS) {
         ret = ClientGreet(sock, ssl);
+    } else {
+        printf("Failure:");
+        ret = wolfSSL_get_error(ssl, 0);
+        printf(" ret = %d", ret);
+        printf(" %s\n", wolfSSL_ERR_error_string(ret, buffer));
     }
 
+
     /* frees all data before client termination */
     wolfSSL_free(ssl);
     wolfSSL_CTX_free(ctx);

Server diff:

--- server-tls.c    2015-08-28 14:05:27.000000000 -0600
+++ server-tls-ecdhe.c    2015-08-28 14:06:19.000000000 -0600
@@ -32,6 +32,7 @@
 #include <netinet/in.h>
 #include <stdlib.h>
 #include <errno.h>
+#include <wolfssl/options.h>
 
 /* include the wolfSSL library for our TLS 1.2 security */
 #include <wolfssl/ssl.h>
@@ -124,6 +125,7 @@
     int ret      = 0; /* Return value */
     /* Server and client socket address structures */
     struct sockaddr_in serverAddr, clientAddr;
+    char* cipherList = "ECDHE-ECDSA-CHACHA20-POLY1305";
 
     /* Initialize wolfSSL */
     wolfSSL_Init();
@@ -141,7 +143,7 @@
     }
 
     /* Load server certificate into WOLFSSL_CTX */
-    if (wolfSSL_CTX_use_certificate_file(ctx, "../certs/server-cert.pem",
+    if (wolfSSL_CTX_use_certificate_file(ctx, "../certs/server-ecc.pem",
                 SSL_FILETYPE_PEM) != SSL_SUCCESS) {
         fprintf(stderr, "Error loading certs/server-cert.pem, please check"
                 "the file.\n");
@@ -149,13 +151,16 @@
     }
 
     /* Load server key into WOLFSSL_CTX */
-    if (wolfSSL_CTX_use_PrivateKey_file(ctx, "../certs/server-key.pem",
+    if (wolfSSL_CTX_use_PrivateKey_file(ctx, "../certs/ecc-key.pem",
                 SSL_FILETYPE_PEM) != SSL_SUCCESS) {
         fprintf(stderr, "Error loading certs/server-key.pem, please check"
                 "the file.\n");
         return EXIT_FAILURE;
     }
 
+    if (wolfSSL_CTX_set_cipher_list(ctx, cipherList) != SSL_SUCCESS)
+            printf("client can't set cipher list 1");
+
     /* Initialize the server address struct to zero */
     memset((char *)&serverAddr, 0, sizeof(serverAddr));
 

Hi Alexander79,

For question 1:
The server is going to connect to the socket and call wolfSSL_accept() where it will wait to read 5 bytes (ssl record header). If after reading the 5 byte record header the server determines whether the connection is not a TLS connection wolfSSL_accept() will return an error code which your application can then check. At that point your application can do whatever you desire with the socket. example:

if (wolfSSL_accept(ssl) != SSL_SUCCESS)                                     
      {                                                                           
          int err = wolfSSL_get_error(ssl, 0);                                    
          char buffer[WOLFSSL_MAX_ERROR_SZ];                                      
          printf("error = %d, %s\n", err, wolfSSL_ERR_error_string(err, buffer)); 
          /*err_sys("SSL_accept failed");*/                                                              
      }

Question 2:
You will need to use DHE or ECDHE based cipher suite. You can set these by using wolfSSL_CTX_set_cipher_list() this function is defined in wolfssl/ssl.h. example:

if (wolfSSL_CTX_set_cipher_list(cipherSuiteCtx, suite) == SSL_SUCCESS)
      valid = 1

For negotiating the ephemeral key you will have to load a public and private key file however the ephemeral key will automatically be negotiated internally in our libraries.

Load public key:

         if (SSL_CTX_use_certificate_file(ctx, ourCert, SSL_FILETYPE_PEM)        
                                          != SSL_SUCCESS)
                         err_sys("can't load server cert file, check file and run from"      
                     " wolfSSL home dir");

Load private key:

         if (SSL_CTX_use_PrivateKey_file(ctx, ourKey, SSL_FILETYPE_PEM)          
                                          != SSL_SUCCESS)                        
             err_sys("can't load server private key file, check file and run "   
                 "from wolfSSL home dir");

Kind Regards,

Kaleb

Hi Steve,

Thank you for the project details! I wanted to check back and see if those configure options got you to your target footprint or close?

Kind Regards,

Kaleb

Hi cfarrin,

That is excellent news. I am glad you were able to resolve the issue!

Regards,

Kaleb

Hi cfarrin,

Did you define HAVE_SESSION_TICKET or configure with the option --enable-session-ticket? If not try this compile option:

gcc xxx.c -o xxx -lm -lwolfssl C_EXTRA_FLAGS="-DHAVE_SESSION_TICKET"

If you have and that is not the issue respond to this and I will look into it further.

Kind Regards,

Kaleb

Hi Subhash,

That is good news. Glad you were able to get it working!

Regards,

Kaleb

Hi delphiwolf,

In January our library underwent a name change from CyaSSL to wolfSSL the cyassl and ctaocrypt directories now contain bakwards-compatibility files for clients who had the library prior to the name change. This way if they update to our newest release any existing projects they have will still compile with the old API calls.

If you are starting fresh with the latest API and do not need backwards compatibility in most cases they will not be needed.
Cases when they would be needed:
      1. Some of our example projects if you decide to use them may reference an old API call that was left in place for
          compatibility testing.
      2. If working in a Unix/Linux environment and building our library with auto tools, Makefile.am will expect cyassl and
          ctaocrypt directories to be there and will fail if they are not.
      3. Some files have the line "#include <cyassl/ssl.h>" for backwards compatibility. If you get an error saying the file cannot
          be opened simply remove that line if you do not need that functionality.

While working on your projects should you decide to remove cyassl/ and ctaocrypt/ directories and you come across an error like the following: "Undefined reference to CyaSSL_get_cipher did you mean wolfSSL_get_cipher?" that is an example of the compatibility layer not being in place simply change the name and you will be linking against the new API. for a complete list of the name changes reference cyassl/ssl.h.

Kind Regards,

Kaleb

Hi sbernard,

Firstly thank you so much for the details of your project!

I discussed your issue with the team last night. By commenting out this line in our example server:

503 //        SSL_CTX_use_psk_identity_hint(ctx, "cyassl server");

We were able to reproduce your error.

A commit has been made to fix the bug. If you clone our github development branch (https://github.com/wolfSSL/wolfssl.git) you should now be able to test successfully against scandium server (we have not tested against scandium ourselves but will if you have any other complications). Thank you so much for contacting us with your issue! It has been highly helpful and we hope we have helped you in turn.

My Sincerest Regards,

Kaleb

Hi sbernard,

Try using the following options. I am providing flags for both server and client in the case you would like to test wolfSSL internally before testing an external connection:

For TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8

Server options:

./examples/server/server -u -v 3 -l ECDHE-ECDSA-AES128-CCM-8 -c ./certs/server-ecc.pem -k ./certs/ecc-key.pem

Client options:

./examples/client/client -u -v 3 -l ECDHE-ECDSA-AES128-CCM-8 -A ./certs/server-ecc.pem

To read more about these options and flags please use:

./examples/server/server -help

Hi Jeff,

I will do all I can to assist in this. Could you help me to better realize the full scope and detail of your project? I have reviewed your question and reached out to one of our contacts over at TI. He said

Other sources that may be helpful:

Porting to new environments
http://wolfssl.com/wolfSSL/Docs-wolfssl … guide.html

wolfSSL Texas Instruments Support
http://wolfssl.com/wolfSSL/wolfssl-ti.html

http://processors.wiki.ti.com/index.php … th_TI-RTOS

I hope this helps and look forward to assisting you in any way I can. Please do not hesitate to reach out if you have further questions.

Kind Regards,

Kaleb

Hi ciruzzo,

Thank you so much for your feedback on the project we'll be discussing it today in our team meeting. If we think of anything that might help you solve your problem someone will be in touch!

Kind Regards,

Kaleb

Hi sissiok,

Just to double check have you included options.h header in your project and is it in scope of the file you're working with?

We're confident in RSA_genkey and it's been thouroughly vetted with valgrind on every release. My guess would be the definition of RsaKey or RNG is not getting pulled in somehow and it's being treated as a pointer and not a stucture.

Essentially an invalid write of size 8 is usually something that should be larger and is instead the size of a pointer. This line ==16570==  Address 0xfff001458 is not stack'd, malloc'd or (recently) free'd tells us that one of the parameters or one of the local variables is either not on the stack, has not been malloced yet, or has already been malloced previously somewhere, modified, and not freed before being called here.

Kind Regards,

Kaleb