201

(8 replies, posted in wolfSSL)

Please remove -lib_wolfssl from the libs, the one right below that -lwolfssl should resolve to -libwolfssl.a

- K

202

(3 replies, posted in wolfSSL)

Hi dpkrai93,

Can you tell us a bit about yourself and which organization you represent? Can you tell us about the project you are working on involving TI and what is driving these questions? If you do not wish to disclose such details on a public forum please contact us at support@wolfssl.com for a more private venue.

The most common cause of oddly looping code is stack and heap collisions or corruption. Can you check that your stack and heap are set appropriately large enough to handle the TLS handshake?

Warm Regards,

K

Hi @endushka,

Can you tell us a bit about the background of your project involving OCSP? Can you tell us which organization you are representing? If you do not wish to disclose these details on a public forum please contact us at support@wolfssl.com for a more private venue and best response times.

OCSP Responder key usage check failed

This error means that the certificate does not contain the appropriate extension for signing other certificates.

   rfc2560 - 4.2.2.2  Authorized Responders

It is necessary however to
   ensure that the entity signing this information is authorized to do
   so.

The key usage extension specifies what the cert can be used for, in this case it would appear that the cert is not configured for signing other certificates and is being treated as an invalid signer. Can you check the key usage extension to confirm? What is the key usage extension set to in this case?


Regards,

K

Surekha,

Not a problem, thank you for the update.

Cheers,

K

205

(3 replies, posted in wolfSSL)

Hi @ktaylor,

No this is a fine place. For best response times and turnaround on questions you can email our support staff directly at support@wolfssl.com and connect with one of our engineers more directly but we do monitor both here and stack overflow as well (Saw your other copy there this morning when I got into work:  https://stackoverflow.com/questions/565 … -atecc508a

I've asked David Garske of wolfSSL to reach out when he has time, he's currently traveling for a trade event but should be back soon. David did all of the ATECC 508/608A work for us and might have an idea on how to resolve the issue you are facing.

While you're waiting for feedback from David would it be possible for you to share a bit about the project and your company? If you do not wish to disclose those details on a public forum please reach out to support@wolfssl.com for sharing project/entity details. If it helps we can setup an intro call and perhaps provide a venue for you to speak with David in person. If that would be helpful let me know and I'll ask one of our business directors to setup an introductory call to go over your current project and introduce you to wolfSSL and our organization.

Warm Regards,

K

206

(1 replies, posted in wolfCrypt)

Hi @sebdub79,

Can you tell us a bit about what you are working on that is driving these questions? Can you tell us a bit about your organization and the project end goals?

The numbers in the flyer are accurate and do not mention WOLFSSL_SMALL_STACK so one can not assume that the flyer relates to nor conveys numbers as they would pertain to WOLFSSL_SMALL_STACK. That setting tells the library "I have a small stack, use heap wherever possible instead of static buffers". You would see a decrease in STACK with that setting and an increase in HEAP comparable to the decrease in STACK that setting.

Warm Regards,

K

207

(8 replies, posted in wolfSSL)

Hi @dizgah,

I apologize for this confusion. Can you please exclude the aes_asm.S from the build, that should not be compiled as those assembly instructions are for Intel Chips. Could you please also add the settings

#define TFM_NO_ASM
#define WOLFSSL_NO_ASM

I am not sure why it is attempting to build those files unless the IDE toolchain is just trying to compile everything in the wolfcrypt directory and you need to exclude those from the build explicitly?

Warm Regards,

K

Hi @subale255,

Thank you for reaching out via the forums. We have not yet added PEM_write_DHparams to our compatibility layer for openSSL unfortunately and I don't have it down as an imminent addition at this time. Would you like me to add it to our list of requested features? How critical is it to your application? Our feature request list is something we track and work on based on popular demand IE the more unique organizations request a given feature the higher it becomes in priority. We work on features for free when we have spare time so there is no guaranteed delivery date for any items on the feature request list. If a customer has a high need they can choose to fund a feature implementation to guarantee a delivery date.

Can you tell us a bit about the end goals of the project and which organization the work is for if applicable?

Warm Regards,

K

209

(8 replies, posted in wolfSSL)

@dizgah,

As I understand en/decryption layer is isolated and abstracted from transportation layer in WolfSSL.Am I true ?

If you add the setting #define WOLFCRYPT_ONLY to the wolfssl-4.0.0/IDE/LPCEXPRESSO/lib_wolfssl/user_settings.h header that will turn off the SSL/TLS layer leaving you with just the wolfCrypt solution in that example. You can build and use the crypto library without the TLS library but the TLS library has a dependency on the crypto library and can not be built without the crypto.

Warm Regards,

K

@supale255,

It was my pleasure. If you need further assistance please contact us at support@wolfssl.com for best response times or here on the forums for non-pressing matters.

Warm Regards,

K

211

(8 replies, posted in wolfSSL)

@dizgah,

Can you tell us a bit about your use case and project goals?

It seems I need a network stack library for POSIX compliant socket functions(like LWIP)

It would depend on the use-case. wolfSSL is transport level agnostic meaning if it can send and receive we can do a TLS handshake over that medium. If you are planning on using Wifi/Ethernet then yes you would want a TCP/IP stack (like LWIP). If however it would better fit your use-case to do a TLS connection of USB/Serial then you could just register custom I/O callbacks with wolfSSL that read/write over USB serial instead. Again the use-case matters.

I need to test TLS connection with my LPC1768 processor(Bare metal/freeRTOS/etc.)
... is there any sample program or tutorial note where I need to start ?

We do provide an LPCExpresso example in our download wolfssl-4.0.0/IDE/LPCEXPRESSO/ The example was setup and tested on an LPC43S37 but you should be able to use and retarget for your LPC1768. That example only runs the wolfCrypt tests and benchmark but could be extended to a client/server example by referencing our examples in https://github.com/wolfSSL/wolfssl-exam … master/tls

Warm Regards,

K

Hi @subale255,

Can you share the contents of the cert that was generated? It looks like you are missing the country, province, etc setup. I'll include the entire example at the end but note this excerpt from one of our examples:

    wc_InitCert(&newCert);
    char country[3] = "US";
    char province[CTC_NAME_SIZE] = "MT";
    char city[CTC_NAME_SIZE] = "Bozeman";
    char org[CTC_NAME_SIZE] = "wolfSSL";
    char unit[CTC_NAME_SIZE] = "wolfSSL_Forums";
    char commonName[CTC_NAME_SIZE] = "Support";
    char email[CTC_NAME_SIZE] = "support@wolfssl.com";
    char daysValid[CTC_NAME_SIZE] = "10";

    XSTRNCPY(newCert.subject.country, country, XSTRLEN(country));
    XSTRNCPY(newCert.subject.state, province, CTC_NAME_SIZE);
    XSTRNCPY(newCert.subject.locality, city, CTC_NAME_SIZE);
    XSTRNCPY(newCert.subject.org, org, CTC_NAME_SIZE);
    XSTRNCPY(newCert.subject.unit, unit, CTC_NAME_SIZE);
    XSTRNCPY(newCert.subject.commonName, commonName, CTC_NAME_SIZE);
    XSTRNCPY(newCert.subject.email, email, CTC_NAME_SIZE);
    newCert.daysValid = atoi(daysValid);
    newCert.isCA    = 0;

Complete example:

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <wolfssl/options.h>
#include <wolfssl/ssl.h>
#include <wolfssl/wolfcrypt/asn.h>
#include <wolfssl/wolfcrypt/asn_public.h>
#include <wolfssl/wolfcrypt/rsa.h>
#include <wolfssl/test.h>

#define MAX_CERT_SZ 8192
#define HEAP_HINT NULL
#define FOURK_SZ  4096
#define RSA_E      65537

void free_things_ecc(byte** a, byte** b, byte** c, ecc_key* d, ecc_key* e,
                                                                     WC_RNG* f);

int make_self_signed_ecc_certificate(char* certOut) {
    int ret = 0;
    word32 index = 0;

    Cert newCert;
    ecc_key key;
    WC_RNG rng;

    int keyFileSz;
    byte keyBuf[FOURK_SZ] = {0};

    ret = wc_ecc_init(&key);
    if (ret != 0) {
        printf("Failed to initialize ecc key\nRET: %d\n", ret);
        return ret;
    }

    ret = wc_InitRng(&rng);
    if (ret != 0) {
        printf("Failed to initialize rng.\nRET: %d\n", ret);
        return ret;
    }

    if (wc_ecc_make_key(&rng, 32, &key) != 0) {
        printf("error making ecc key\n");
        return -1;
    }

    if (wc_EccKeyToDer(&key, keyBuf, sizeof(keyBuf)) < 0) {
        printf("error in ecc to der\n");
        return -1;
    }

    wc_InitCert(&newCert);
    char country[3] = "US";
    char province[CTC_NAME_SIZE] = "MT";
    char city[CTC_NAME_SIZE] = "Bozeman";
    char org[CTC_NAME_SIZE] = "wolfSSL";
    char unit[CTC_NAME_SIZE] = "wolfSSL_Forums";
    char commonName[CTC_NAME_SIZE] = "Support";
    char email[CTC_NAME_SIZE] = "support@wolfssl.com";
    char daysValid[CTC_NAME_SIZE] = "10";

    XSTRNCPY(newCert.subject.country, country, XSTRLEN(country));
    XSTRNCPY(newCert.subject.state, province, CTC_NAME_SIZE);
    XSTRNCPY(newCert.subject.locality, city, CTC_NAME_SIZE);
    XSTRNCPY(newCert.subject.org, org, CTC_NAME_SIZE);
    XSTRNCPY(newCert.subject.unit, unit, CTC_NAME_SIZE);
    XSTRNCPY(newCert.subject.commonName, commonName, CTC_NAME_SIZE);
    XSTRNCPY(newCert.subject.email, email, CTC_NAME_SIZE);
    newCert.daysValid = atoi(daysValid);
    newCert.isCA    = 0;
// pick one:
//    newCert.sigType = CTC_SHAwECDSA;
//    newCert.sigType = CTC_SHA224wECDSA;
    newCert.sigType = CTC_SHA256wECDSA;
//    newCert.sigType = CTC_SHA384wECDSA;
//    newCert.sigType = CTC_SHA512wECDSA;

    byte* certBuf = (byte*) XMALLOC(FOURK_SZ, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
    if (certBuf == NULL) {
        printf("Failed to initialize buffer to store certificate.\n");
        return -1;
    }

    XMEMSET(certBuf, 0, FOURK_SZ);
    int certBufSz = FOURK_SZ;

    ret = wc_MakeCert(&newCert, certBuf, FOURK_SZ, NULL, &key, &rng); //ecc certificate
    if (ret < 0) {
        printf("Failed to make certificate.\n");
        return ret;
    }
    printf("MakeCert returned %d\n", ret);

    ret = wc_SignCert(newCert.bodySz, newCert.sigType, certBuf, FOURK_SZ, NULL,
                                                              &key, &rng);
    if (ret < 0) {
        printf("Failed to sign certificate.\n");
        return ret;
    }
    printf("SignCert returned %d\n", ret);

    certBufSz = ret;

    printf("Successfully created new certificate\n");

    printf("Writing newly generated certificate to file \"%s\"\n",
                                                                 certOut);
    FILE* file = fopen(certOut, "wb");
    if (!file) {
        printf("failed to open file: %s\n", certOut);
        return -1;
    }

    ret = (int) fwrite(certBuf, 1, certBufSz, file);
    fclose(file);
    printf("Successfully output %d bytes\n", ret);

/*---------------------------------------------------------------------------*/
/* convert the der to a pem and write it to a file */
/*---------------------------------------------------------------------------*/
    int pemBufSz;

    printf("Convert the der cert to pem formatted cert\n");

    byte* pemBuf = (byte*) XMALLOC(FOURK_SZ, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
    if (pemBuf == NULL) {
        printf("Failed to initialize pem buffer.\n");
        return -1;
    }

    XMEMSET(pemBuf, 0, FOURK_SZ);

    pemBufSz = wc_DerToPem(certBuf, certBufSz, pemBuf, FOURK_SZ, CERT_TYPE);
    if (pemBufSz < 0) {
        printf("Failed to convert from der to pem.\n");
        return -1;
    }

    printf("Resulting pem buffer is %d bytes\n", pemBufSz);

    FILE* pemFile = fopen(certOut, "wb");
    if (!pemFile) {
        printf("failed to open file: %s\n", certOut);
        return -1;
    }
    fwrite(pemBuf, 1, pemBufSz, pemFile);
    fclose(pemFile);
    printf("Successfully converted the der to pem. Result is in:  %s\n\n",
                                                                 certOut);

    free_things_ecc(&pemBuf, &certBuf, NULL, &key, NULL, &rng);
    return 1;
}

void free_things_ecc(byte** a, byte** b, byte** c, ecc_key* d, ecc_key* e,
                                                                      WC_RNG* f)
{
    if (a != NULL) {
        if (*a != NULL) {
            XFREE(*a, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
            *a = NULL;
        }
    }
    if (b != NULL) {
        if (*b != NULL) {
            XFREE(*b, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
            *b = NULL;
        }
    }
    if (c != NULL) {
        if (*c != NULL) {
            XFREE(*c, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
            *c = NULL;
        }
    }

    wc_ecc_free(d);
    wc_ecc_free(e);
    wc_FreeRng(f);

}

int main(int argc, char** argv)
{

    make_self_signed_ecc_certificate("mycert.pem");
    return 0;
}

Warm Regards,

K

213

(15 replies, posted in wolfSSL)

@zhq0918,

Can you please reach out to Rich Kelm (rich@wolfssl.com) directly to discuss how we can best continue supporting your efforts.

Thanks!

Regards,

K

214

(7 replies, posted in wolfSSL)

Hi Sharklasers,

Can you tell us what the project is and for whom? If you can not share details on a public forum please contact us via support@wolfssl.com, we would enjoy learning more about your project and end goals.

The error is telling you to configure FP_MAX_BITS to be larger. That define should be set to the largest key size time 2 so for RSA-4096 bit you would want to set it to 8192, if the largest key is DH-2048-bit then set it to 4096 and so on. Configure with

CFLAGS="<other flags> -DFP_MAX_BITS=8192"

(for example)

Regards,

K

215

(15 replies, posted in wolfSSL)

@zhq0918,

If successful outside the enclave then should work just fine inside the enclave IF the enclave has the exact same configuration. Do me a favor check what is in the header wolfssl/options.h outside the enclave where the tests pass and compare that to the SGX makefiles (all three, sgx_t_static.mk, sgx_t.mk, sgx_u.mk). For each wolfSSL specific setting in wolfssl/options.h add it to the Wolfssl_C_Extra_Flags in all three makefiles:

Wolfssl_C_Extra_Flags := -DWOLFSSL_SGX
Wolfssl_C_Extra_Flags += -D<OTHER SETTING FROM wolfssl/options.h>
Wolfssl_C_Extra_Flags += -D<next setting.. and so on>...

Get the two identically configured so that the test outside that succeeds is a true comparison to the test inside that is failing.

Warm Regards,

K

216

(15 replies, posted in wolfSSL)

Please try using the updated format I sent previously with return lines hard-coded.

- KH

217

(15 replies, posted in wolfSSL)

In the code you shared I still see API's ending in

_file

. The suggestion was to instead try utilizing the

_buffer

methods unless you have written out calls for file operations.

- K

218

(15 replies, posted in wolfSSL)

zhq0918,

Is this for a commercial project or something else? Perhaps the best way for us to assist you on this is to get you under a support agreement so we can setup a technical call to work through your issues. Where are you located in the world? I can have one of our Business managers reach out to you directly to setup an intro call and discuss a more optimal path forward in your work with the SGX solution.

Warm Regards,

K

219

(15 replies, posted in wolfSSL)

Try this format instead see if the NO_PEM_HEADER issue persists:

static const unsigned char certBuf[] = {
"-----BEGIN CERTIFICATE-----\n\
MIIEyjCCA7KgAwIBAgIJAKrEv0xQvVV3MA0GCSqGSIb3DQEBCwUAMIGeMQswCQYD\n\
VQQGEwJVUzEQMA4GA1UECAwHTW9udGFuYTEQMA4GA1UEBwwHQm96ZW1hbjEVMBMG\n\
A1UECgwMd29sZlNTTF8yMDQ4MRkwFwYDVQQLDBBQcm9ncmFtbWluZy0yMDQ4MRgw\n\
FgYDVQQDDA93d3cud29sZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29s\n\
ZnNzbC5jb20wHhcNMTgwNDEzMTUyMzA5WhcNMjEwMTA3MTUyMzA5WjCBnjELMAkG\n\
A1UEBhMCVVMxEDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xFTAT\n\
BgNVBAoMDHdvbGZTU0xfMjA0ODEZMBcGA1UECwwQUHJvZ3JhbW1pbmctMjA0ODEY\n\
MBYGA1UEAwwPd3d3LndvbGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdv\n\
bGZzc2wuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwwPRK/45\n\
pDJFO1PIhCsqfHSavaoqUgdH1qY2sgcyjtC6aXvGw0Se1IFI/S1oootnu6F1yDYs\n\
StIb94u6zw357+zxgR57mwNHmr9lzH9lJGmm6BSJW+Q098WwFJP1Z3s6enjhAVZW\n\
kaYTQo3SPECcTO/Rht83URsMoTv18aNKNeThzpbfG36/TpfQEOioCDCBryALQxTF\n\
dGe0MoJvjYbCiECZNoO6HkByIhfXUmUkc7DO7xnNrv94bHvAEgPUTnINUG07ozuj\n\
mV6dyNkMhbPZitlUJttt+qy7/yVMxNF59HHThkAYE7BjtXJOMMSXhIYtVi/XFfd/\n\
wK71/Fvl+6G60wIDAQABo4IBBzCCAQMwHQYDVR0OBBYEFDPYRWbXaIcYflQNcCeR\n\
xybXhWXAMIHTBgNVHSMEgcswgciAFDPYRWbXaIcYflQNcCeRxybXhWXAoYGkpIGh\n\
MIGeMQswCQYDVQQGEwJVUzEQMA4GA1UECAwHTW9udGFuYTEQMA4GA1UEBwwHQm96\n\
ZW1hbjEVMBMGA1UECgwMd29sZlNTTF8yMDQ4MRkwFwYDVQQLDBBQcm9ncmFtbWlu\n\
Zy0yMDQ4MRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEW\n\
EGluZm9Ad29sZnNzbC5jb22CCQCqxL9MUL1VdzAMBgNVHRMEBTADAQH/MA0GCSqG\n\
SIb3DQEBCwUAA4IBAQCAUlRhKneAU0SpgG1F/w0lfRqPI5NTdDUSb/AuIOrtgGNp\n\
iOYMoUkw4ILbaA9+hKz//3tC+n4vslKf0nleNRInNrzfllhEllXISpQCX0qd3NM6\n\
922si3lu/L6PI1hqivU4CkL2mHSIUy4Cr+EOvm/MdDN87LTLp0ltgkJP63MpwzIA\n\
KxX4iHqPbSAbrmVfxdCK0eJkbaOo/mThqVvm0CPWAnJa7AOOh2cZjeSomRXBPZFI\n\
mY3+rhy/9igbRb6t73KDmvbHO1GjbnpzvYOql/1jtPRrHBSBmu8UJNPhi/QEBIRU\n\
D2GiqPJQNwwXDLzgwoSF9AuuAMqfJ+JETxULix20\n\
-----END CERTIFICATE-----\n\n"};

220

(15 replies, posted in wolfSSL)

And i verified the certificate chain with openssl success. but in sgx, the return value of  wolfSSL_X509_verify_cert always is WOLFSSL_FATAL_ERROR,I want know the method of use certificate chain.thanks a lot.

SSL_CTX_use_certificate_chain_file requires opening a file, reading in from the file stream and closing the file after it's been read into a buffer. On the other issue you were facing problems with the close() function so likely it's erring out unable to open the file stream much less read it in.

I would recommend placing the cert into a buffer and using

wolfSSL_CTX_use_cerificate_buffer(ctx, certBuf, certBufSz, WOLFSSL_FILETYPE_PEM);

instead. Here is an example:

// Header file mycert.h
static const unsigned char certBuf[] = {
"-----BEGIN CERTIFICATE-----\
MIIEyjCCA7KgAwIBAgIJAKrEv0xQvVV3MA0GCSqGSIb3DQEBCwUAMIGeMQswCQYD\
VQQGEwJVUzEQMA4GA1UECAwHTW9udGFuYTEQMA4GA1UEBwwHQm96ZW1hbjEVMBMG\
A1UECgwMd29sZlNTTF8yMDQ4MRkwFwYDVQQLDBBQcm9ncmFtbWluZy0yMDQ4MRgw\
FgYDVQQDDA93d3cud29sZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29s\
ZnNzbC5jb20wHhcNMTgwNDEzMTUyMzA5WhcNMjEwMTA3MTUyMzA5WjCBnjELMAkG\
A1UEBhMCVVMxEDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xFTAT\
BgNVBAoMDHdvbGZTU0xfMjA0ODEZMBcGA1UECwwQUHJvZ3JhbW1pbmctMjA0ODEY\
MBYGA1UEAwwPd3d3LndvbGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdv\
bGZzc2wuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwwPRK/45\
pDJFO1PIhCsqfHSavaoqUgdH1qY2sgcyjtC6aXvGw0Se1IFI/S1oootnu6F1yDYs\
StIb94u6zw357+zxgR57mwNHmr9lzH9lJGmm6BSJW+Q098WwFJP1Z3s6enjhAVZW\
kaYTQo3SPECcTO/Rht83URsMoTv18aNKNeThzpbfG36/TpfQEOioCDCBryALQxTF\
dGe0MoJvjYbCiECZNoO6HkByIhfXUmUkc7DO7xnNrv94bHvAEgPUTnINUG07ozuj\
mV6dyNkMhbPZitlUJttt+qy7/yVMxNF59HHThkAYE7BjtXJOMMSXhIYtVi/XFfd/\
wK71/Fvl+6G60wIDAQABo4IBBzCCAQMwHQYDVR0OBBYEFDPYRWbXaIcYflQNcCeR\
xybXhWXAMIHTBgNVHSMEgcswgciAFDPYRWbXaIcYflQNcCeRxybXhWXAoYGkpIGh\
MIGeMQswCQYDVQQGEwJVUzEQMA4GA1UECAwHTW9udGFuYTEQMA4GA1UEBwwHQm96\
ZW1hbjEVMBMGA1UECgwMd29sZlNTTF8yMDQ4MRkwFwYDVQQLDBBQcm9ncmFtbWlu\
Zy0yMDQ4MRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEW\
EGluZm9Ad29sZnNzbC5jb22CCQCqxL9MUL1VdzAMBgNVHRMEBTADAQH/MA0GCSqG\
SIb3DQEBCwUAA4IBAQCAUlRhKneAU0SpgG1F/w0lfRqPI5NTdDUSb/AuIOrtgGNp\
iOYMoUkw4ILbaA9+hKz//3tC+n4vslKf0nleNRInNrzfllhEllXISpQCX0qd3NM6\
922si3lu/L6PI1hqivU4CkL2mHSIUy4Cr+EOvm/MdDN87LTLp0ltgkJP63MpwzIA\
KxX4iHqPbSAbrmVfxdCK0eJkbaOo/mThqVvm0CPWAnJa7AOOh2cZjeSomRXBPZFI\
mY3+rhy/9igbRb6t73KDmvbHO1GjbnpzvYOql/1jtPRrHBSBmu8UJNPhi/QEBIRU\
D2GiqPJQNwwXDLzgwoSF9AuuAMqfJ+JETxULix20\
-----END CERTIFICATE-----"};

// SPECIAL NOTE: Notice the escapes added at the end of each line after copy/paste.
static const int certBufSz = (int) sizeof(certBuf);
// Application code:

#include "mycert.h"

...

    wolfSSL_CTX_use_cerificate_buffer(ctx, certBuf, certBufSz, WOLFSSL_FILETYPE_PEM);

...

Regards,

K

zhq0918,

Not a problem, the Enclave stuff can be very confusing the first time through, thus my recommendation to review the intel documentation https://software.intel.com/en-us/downlo … oper-guide

Imagine the Enclave as a black box of nothingness. It isn't allowed to do anything you don't let it IE if you do not provide it functionality it won't know what it is. I am referring to things we might take for granted in typical programming such as scanf, printf, DEBUG_LOGGING (writing to a file stream) etc. The enclave doesn't know what a file stream is, it doesn't even know what a file is unless you tell it. Anything that involves I/O (reading/writing) will have to occur outside the enclave in the untrusted space. You can then pass things into the enclave by either:

A) pass a buffer pointer out of the enclave to be written to
B) Pass a buffer pointer into the enclave for the enclave to read from

We have to specifically note these types of calls as untrusted however because it is information being gathered from outside the enclave or passed into the enclave from the untrusted execution space. IE if a malicious actor gained full control of the system that malicious actor still could do nothing about the code running inside the enclave but they might be able to pass in stuff via untrusted out_calls so we map those in the untrusted section of the .edl. Anyway, please take time to peruse the intel documentation it will help give a much more thorough understanding of the execution space and you'll start to see patterns of what types of things (IE "close being undefined") are expected and how to resolve them.

Regards,

K

222

(6 replies, posted in wolfSSL)

Hi @Deltree,

It appears there might be some issue with the entropy source on the device. Can you review the porting guide section here:

https://www.wolfssl.com/docs/porting-gu … 2ipxp7p1y3

You may need to setup an alternate entropy source if the default one is failing to return random data.

Warm Regards,

K

223

(6 replies, posted in wolfSSL)

Not sure if it will fix anything but could you change the makefile to this (it's more standard solution):

CFLAGS    = -g -O2 -Wall $(MACHDEP) $(INCLUDE) -I/home/deltree/Downloads/Wii/DEV/wolfssl-4.0.0-stable/
LIBS    :=    -L/home/deltree/Downloads/Wii/DEV/wolfssl-4.0.0-stable/src/.libs -lwolfssl -lfat -lwiiuse -lbte -logc -lm 

Can you turn on debugging with #define DEBUG_WOLFSSL  and then invoke wolfSSL_Debugging_ON(); in your application.

Regards,

K

224

(6 replies, posted in wolfSSL)

Hi @Deltree,

When configuring the wolfSSL library we have to make sure the application includes the same configuration settings. I think you may just be missing a header include for either wolfssl/wolfcrypt/settings.h or wolfssl/options.h. NOTE: wolfssl/options.h is generated when you use ./configure && make to build the library. If you are using some other means to configure the library you should make sure that your settings get included in wolfssl/wolfcrypt/settings.h and then make sure to include wolfssl/wolfcrypt/settings.h in your application.

Your code actually looks fine in fact I tested it successfully, here is a the quick app I threw together using our example from https://github.com/wolfSSL/wolfssl-exam … ient-tls.c and marrying it with your code, it runs fine when tested with our example server

SERVER COMMAND:

cd wolfssl/
./examples/server/server -d

CLIENT CODE:

#include <stdio.h>

#include <wolfssl/options.h>
#include <wolfssl/wolfcrypt/settings.h>
#include <wolfssl/ssl.h>
#include <wolfssl/wolfcrypt/error-crypt.h>
#include <wolfssl/wolfcrypt/random.h>
#define SSLERR -1

int main(int argc, char** argv)
{

/* WOLFSSL SUPPORT CODE: START */
    int                sockfd;
    struct sockaddr_in servAddr;
    char               buff[256];
    size_t             len;
    #define DEFAULT_PORT 11111

    /* Check for proper calling convention */
    if (argc != 2) {
        printf("usage: %s <IPv4 address>\n", argv[0]);
        return 0;
    }

    /* Create a socket that uses an internet IPv4 address,
     * Sets the socket to be stream based (TCP),
     * 0 means choose the default protocol. */
    if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1) {
        fprintf(stderr, "ERROR: failed to create the socket\n");
        return -1;
    }

    /* Initialize the server address struct with zeros */
    memset(&servAddr, 0, sizeof(servAddr));

    /* Fill in the server address */
    servAddr.sin_family = AF_INET;             /* using IPv4      */
    servAddr.sin_port   = htons(DEFAULT_PORT); /* on DEFAULT_PORT */

    /* Get the server IPv4 address from the command line call */
    if (inet_pton(AF_INET, argv[1], &servAddr.sin_addr) != 1) {
        fprintf(stderr, "ERROR: invalid address\n");
        return -1;
    }



    /* Connect to the server */
    if (connect(sockfd, (struct sockaddr*) &servAddr, sizeof(servAddr))
        == -1) {
        fprintf(stderr, "ERROR: failed to connect\n");
        return -1;
    }
/* WOLFSSL SUPPORT CODE: BREAK */

/* USER CODE (@Deltree): START */
    WOLFSSL_CTX* ctx = NULL;
    WOLFSSL* sslSock = NULL;

    wolfSSL_Init();

    ctx = wolfSSL_CTX_new(wolfTLSv1_2_client_method());
    wolfSSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, 0);

    if ( ctx == NULL ) 
    {
            printf("ERRO: WOLFSSL_CTX\n");
        return(SSLERR);
    }

    sslSock = wolfSSL_new(ctx);

    if ( sslSock == NULL ) 
    {
        int error = wolfSSL_get_error(sslSock, 0);
        char *errStr="";
        wolfSSL_ERR_error_string((unsigned long) error, errStr);
            printf("ERRO: wolfSSL_new: %d , %s\n", error, errStr);
        wolfSSL_CTX_free(ctx);
        wolfSSL_Cleanup();
            return(SSLERR);
    }
/* USER CODE (@Deltree): END */

/* WOLFSSL SUPPORT CODE: RESUME */
    /* Attach wolfSSL to the socket */
    wolfSSL_set_fd(sslSock, sockfd);

    /* Connect to wolfSSL on the server side */
    if (wolfSSL_connect(sslSock) != SSL_SUCCESS) {
        fprintf(stderr, "ERROR: failed to connect to wolfSSL\n");
        return -1;
    }

    /* Get a message for the server from stdin */
    printf("Message for server: ");
    memset(buff, 0, sizeof(buff));
    fgets(buff, sizeof(buff), stdin);
    len = strnlen(buff, sizeof(buff));

    /* Send the message to the server */
    if (wolfSSL_write(sslSock, buff, len) != len) {
        fprintf(stderr, "ERROR: failed to write\n");
        return -1;
    }

    /* Read the server data into our buff array */
    memset(buff, 0, sizeof(buff));
    if (wolfSSL_read(sslSock, buff, sizeof(buff)-1) == -1) {
        fprintf(stderr, "ERROR: failed to read\n");
        return -1;
    }

    /* Print to stdout any data the server sends */
    printf("Server: %s\n", buff);

    /* Cleanup and return */
    wolfSSL_free(sslSock);      /* Free the wolfSSL object                  */
    wolfSSL_CTX_free(ctx);  /* Free the wolfSSL context object          */
    wolfSSL_Cleanup();      /* Cleanup the wolfSSL environment          */
    close(sockfd);          /* Close the connection to the server       */
/* WOLFSSL SUPPORT CODE: END */
    return 0;
}


RESULT:

kalebhimes$ ./run 127.0.0.1
Message for server: yo
Server: I hear you fa shizzle!

Regards,

K

@zhq0918,

If you are trying to do mutual authentication then YES the above noted API's are all you need. wolfSSL will internally verify the certificates expiration data, the validity of it's signature based on whatever cert the server has loaded to verify the client with and any extensions and their validity within the cert. The client will do the same:

SERVER SIDE:

wolfSSL_CTX_load_verify_[locations | buffer] - Load the ROOT CA that signed the --CLIENTS-- certificate chain.

wolfSSL_CTX_use_certificate_[file | buffer] - Load the --SERVERS-- certificate chain of trust with the only optional item being the root CA (The --CLIENT-- will already have a copy of the --SERVERS-- Root CA that signed the --SERVERS-- certificate chain so the root CA does not have to be sent during the handshake along with the rest of the chain)

wolfSSL_CTX_use_PrivateKey_[file | buffer] - Load the --SERVERS-- private key that is associated with the --SERVERS-- entity certificate.

CLIENT SIDE:

wolfSSL_CTX_load_verify_[locations | buffer] - Load the ROOT CA that signed the --SERVERS-- certificate chain.

wolfSSL_CTX_use_certificate_[file | buffer] - Load the --CLIENTS-- certificate chain of trust with the only optional item being the root CA (The --SERVER-- will already have a copy of the --CLIENTS-- Root CA that signed the --CLIENTS-- certificate chain so the root CA does not have to be sent during the handshake along with the rest of the chain)

wolfSSL_CTX_use_PrivateKey_[file | buffer] - Load the --CLIENTS-- private key that is associated with the --CLIENTS-- entity certificate.

Warm Regards,

K