276 Reply by dgarske

(5 replies, posted in wolfMQTT)

Hi DanielGruber,

I pushed a few FreeRTOS fixes to that MQTT multi-threading PR here: https://github.com/wolfSSL/wolfMQTT/pul … 7a4cc203eb

Let me know if you still see any issues on FreeRTOS.

Thanks,
David Garske, wolfSSL

Go to forum: wolfMQTT

277 Reply by dgarske

(1 replies, posted in wolfMQTT)

Hi rvogel,

Your code looks correct for loading a trusted CA. I would suggest its not locking up, but instead is taking a long time. Internally its doing an asymmetric verify operation. Are you able to see with a debugger where its "locking up". Have you confirmed you have enough stack/heap available? Is this an ECC or RSA certificate? Have you tried enabling debug logging? To do so define DEBUG_WOLFSSL and call wolfSSL_Debugging_ON();. If you want to redirect to printf instead of the default sprintf(stderr define `WOLFSSL_LOG_PRINTF`.

Thanks,
David Garske, wolfSSL

Go to forum: wolfMQTT

278 Reply by dgarske

(4 replies, posted in wolfBoot)

Hi windyMk92,

The error you are seeing is because the wolfSSL library is missing --enable-ed25519. See the instructions for setting up the Python signing tool here:
https://github.com/wolfSSL/wolfBoot/blo … ll-python3

Interestingly we also just merged in a pure C version of the signing tool along with a visual studio project in tools/keytools. See the section here: https://github.com/wolfSSL/wolfBoot/blo … gning-tool

Thanks,
David Garske, wolfSSL

Go to forum: wolfBoot

279 Reply by dgarske

(5 replies, posted in wolfMQTT)

Hi DanielGruber,

The issue turned out to be thread synchronization and switching to a binary semaphore resolved things. The code has been pushed here and is under peer review:
https://github.com/wolfSSL/wolfMQTT/pull/146

Thanks,
David Garske, wolfSSL

Go to forum: wolfMQTT

280 Reply by dgarske

(5 replies, posted in wolfMQTT)

Hi DanielGruber,

We can reproduce the issue and are working on a fix. Once it is available I will post a link here shortly.

Thanks,
David Garske, wolfSSL

Go to forum: wolfMQTT

281 Reply by dgarske

(5 replies, posted in wolfMQTT)

Hi DanielGruber,

Thanks for the detailed report for wolfMQTT and multithreading. I will see if I can reproduce and resolve.

David Garske, wolfSSL

Go to forum: wolfMQTT

282 Reply by dgarske

(1 replies, posted in wolfSSL)

Hi ashetty,

Those functions are "internal" as defined by `WOLFSSL_LOCAL`, which tells the compiler not to export them via wolfssl/wolfcrypt/visilbility.h "#define WOLFSSL_LOCAL __attribute__ ((visibility("hidden")))".

Is there a reason you aren't using a public API like: `wolfSSL_get_cipher_list`, `wolfSSL_get_ciphers`, `wolfSSL_get_ciphers_iana`?

If you really want to expose the internal API's you'll need to un-define HAVE_VISIBILITY or un-define BUILDING_WOLFSSL.

Thanks,
David Garske, wolfSSL

Go to forum: wolfSSL

283 Reply by dgarske

(1 replies, posted in wolfSSL)

Hi yighax2,

Check out our wolfssl-examples repo. We have a few examples that will help you with this:

https://github.com/wolfSSL/wolfssl-exam … -callbacks
https://github.com/wolfSSL/wolfssl-exam … master/tls
See the "-callback" TLS examples

These use our custom IO callbacks, which are set using:
wolfSSL_CTX_SetIORecv(ctx, my_IORecv);
wolfSSL_CTX_SetIOSend(ctx, my_IOSend);

You can also set a custom pointer context using:
wolfSSL_SetIOReadCtx(ssl, &recvCtx);
wolfSSL_SetIOWriteCtx(ssl, &sendCtx);

You can build with `WOLFSSL_USER_IO` to disable the internal "socket" handling and require use of these IO callbacks.

Thanks,
David Garske, wolfSSL

Go to forum: wolfSSL

284 Reply by dgarske

(1 replies, posted in wolfSSL)

Hi isnipenow,

See the `wc_RsaPublicKeyDecode` function.

Out wolfssl-examples repository has many examples:
https://github.com/wolfSSL/wolfssl-exam … rify.c#L85

Documentation:
https://www.wolfssl.com/doxygen/group__ … 35bda1f728

Thanks,
David Garske, wolfSSL

Go to forum: wolfSSL

285 Reply by dgarske

(2 replies, posted in wolfSSL)

Hi pbreed,

Thanks for the forum question. You can also use our support@wolfssl.com ZenDesk system for faster responses.

Can you describe how you are building wolfSSL? Internally we have mutex protection if threading is enabled.

If the --enable-singlethreaded option is set or SINGLE_THREADED is defined then threading is not supported.

Thanks,
David Garske, wolfSSL

Go to forum: wolfSSL

286 Reply by dgarske

(1 replies, posted in wolfCrypt)

Hi noahh0123,

Try setting the RNG for the RsaKey using:
int wc_RsaSetRNG(RsaKey* key, WC_RNG* rng)

See the following:
https://github.com/wolfSSL/wolfssl-exam … h-sign-rsa
https://www.wolfssl.com/forums/topic111 … -data.html

David Garske, wolfSSL

Go to forum: wolfCrypt

287 Reply by dgarske

(1 replies, posted in wolfSSL)

Hi burakkirazli,

It depends on the algorithms enabled/used and the FP_MAX_BITS you have defined. The ECC and RSA algorithms use fast math.

Typically during a TLS connection you'll have several of these on the stack. I recommend starting with 10KB of stack and then looking at your stack high watermark to determine how much to reduce.

For RSA the FP_MAX_BITS is double the maximum key size. For RSA 2048-bit requires double max bits so 4096. If you have just ECC defined than FP_MAX_BITS can be ECC max key size + 32. For both RSA and ECC you can reduce ECC stack usage by defining ALT_ECC_SIZE, which will use heap for the ECC point instead of stack.

We have some good examples for configuration the math library cases here:
https://github.com/wolfSSL/wolfssl/blob … settings.h

Thanks,
David Garske, wolfSSL

Go to forum: wolfSSL

288 Reply by dgarske

(6 replies, posted in wolfSSL)

Hi burakkirazli,

Thanks for letting us know the fix was due to not having XREALLOC / realloc implemented correctly when using the normal math.

David Garske, wolfSSL

Go to forum: wolfSSL

289 Reply by dgarske

(6 replies, posted in wolfSSL)

Hi burakkirazli,

Error -142 is `ASN_GETINT_E`. Happening on call to `wc_RsaPublicKeyDecode`. My best guess is you heap allocation failed when trying to parse the RSA certificate from the peer. Check your heap space and either make more available or switch to a stack based math by defining USE_FAST_MATH. It might be helpful to look at this example user_settings.h file, which describes many build options. https://github.com/wolfSSL/wolfssl/blob … settings.h

Thanks,
David Garske, wolfSSL

Go to forum: wolfSSL

290 Reply by dgarske

(1 replies, posted in wolfSSL)

Hi bsda_dev,

I compared the generated wolfssl/options.h using ./configure and ./configure --enable-tls13 and the resulting build option differences are:

#define WOLFSSL_TLS13
#define HAVE_TLS_EXTENSIONS
#define HAVE_SUPPORTED_CURVES
#define WC_RSA_PSS
#define HAVE_HKDF

I am surprised that server method would work and allow TLSv1.2, since it should not allow downgrade unless you are using the wolfSSLv23_server_method. Please also share your Wireshark trace. If you want to submit directly to our support email support@wolfssl.com and reference this forum post.

Thanks,
David Garske, wolfSSL

Go to forum: wolfSSL

291 Reply by dgarske

(6 replies, posted in wolfSSL)

Hi burakkirazli,

Looks like the TLS server did not like something in the client_hello and sent back an alert 40 (handshake_failure). Can you describe more about the server and what build options you are using? Perhaps you can send a Wireshark trace and print a run-time list of enabled cipher suites?

#ifndef WOLFSSL_CIPHER_LIST_MAX_SIZE
    #define WOLFSSL_CIPHER_LIST_MAX_SIZE 4096
#endif
static void ShowCiphers(void)
{
    char ciphers[WOLFSSL_CIPHER_LIST_MAX_SIZE];
    int ret = wolfSSL_get_ciphers(ciphers, (int)sizeof(ciphers));

    if (ret == WOLFSSL_SUCCESS)
        printf("%s\n", ciphers);
}

Thanks,
David Garske, wolfSSL

Go to forum: wolfSSL

292 Reply by dgarske

(2 replies, posted in wolfSSL)

Hi burakkirazli,

See "Date BEFORE check failed" message above. The -150 error (from wolfssl/wolfcrypt/error-crypt.h) "ASN_BEFORE_DATE_E  = -150,  /* ASN date error, current date before */".

Your RTC time is not setup properly, so the certificate date check is failing. Here are the possible solutions:

1. Setup your RTC correctly via the XTIME macros. Example here: https://github.com/wolfSSL/wolfssl/blob … ngs.h#L449

2. Override the date error in the verify callback (see this example: https://github.com/wolfSSL/wolfssl/blob … t.h#L1721)

3. Disable all certificate date checking by disabling NO_ASN_TIME. Do note that this will allow expired certificates to be used.

Thanks,
David Garske, wolfSSL

Go to forum: wolfSSL

293 Reply by dgarske

(3 replies, posted in wolfMQTT)

Hi burakkirazli,

If you don't have socket error codes for EWOULDBLOCK or EAGAIN then why are you using the WOLFMQTT_NONBLOCK build option?

Perhaps can explain more about your use case and socket library being used?

Thanks,
David Garske, wolfSSL

Go to forum: wolfMQTT

294 Reply by dgarske

(3 replies, posted in wolfMQTT)

Hi burakkirazli,

Thanks for your report. I pushed a fix into PR 135 here (https://github.com/wolfSSL/wolfMQTT/pull/135). Please give it a try and let me know if this works.

Thanks,
David Garske, wolfSSL

Go to forum: wolfMQTT

295 Reply by dgarske

(3 replies, posted in wolfSSL)

Hi burakkirazli,

You must run the example from the wolfssl-root like:
./examples/echoserver/echoserver

Also you can find some simple TLS examples in our wolfssl-examples repo here:
https://github.com/wolfSSL/wolfssl-examples

Thanks,
David Garske, wolfSSL

Go to forum: wolfSSL

296 Reply by dgarske

(3 replies, posted in wolfSSL)

Hi Cookie,

Have you seen our simple TLS examples in our wolfssl-examples repo?
https://github.com/wolfSSL/wolfssl-exam … master/tls

The -345 NO_PEER_CERT error indicates the peer did not present a certificate. See the wolfSSL_CTX_set_verify API for setting the verify options for the peer certificate.

Thanks,
David Garske, wolfSSL

Thanks,
David Garske, wolfSSL

Go to forum: wolfSSL

297 Reply by dgarske

(2 replies, posted in wolfCrypt)

Hi JMG,

You can find the RISC-V examples here:
https://github.com/wolfSSL/wolfssl/tree … PSE/SIFIVE
https://github.com/wolfSSL/wolfssl/tree … /IDE/RISCV

Also I just put up a PR to consolidate the RISC-V information into IDE/RISCV here:
https://github.com/wolfSSL/wolfssl/pull/2490

Thanks,
David Garske, wolfSSL

Go to forum: wolfCrypt

298 Reply by dgarske

(2 replies, posted in wolfCrypt)

Hi Kvkhekale,

Also make sure you have the arm-none-eabi-gcc-8.3.1/bin directory in your path.

Thanks,
David Garske, wolfSSL

Go to forum: wolfCrypt

299 Reply by dgarske

(2 replies, posted in wolfCrypt)

Hi kvhekale,

Try using something like this:

export WOLFSSL_PREFIX="`pwd`/../build"
./configure \
    --host=arm-none-eabi \
    CFLAGS="-mcpu=cortex-m0 --specs=nano.specs -DNO_WOLFSSL_DIR -DWOLFSSL_USER_IO -DNO_WRITEV" \
    --prefix=$WOLFSSL_PREFIX/wolfssl-m0-baremetal \
    --disable-examples
make
make install

Thanks,
David Garske, wolfSSL

Go to forum: wolfCrypt

300 Reply by dgarske

(3 replies, posted in wolfCrypt)

Hi i.fedotov,

The PIC32MZ does not allow two hardware hashing operations to happen at the same time. We have two versions of the hardware crypto. Some of the TLS operations required overlapping update/final. Make sure you do not have WOLFSSL_PIC32MZ_LARGE_HASH defined.

1. Enabled with WOLFSSL_PIC32MZ_LARGE_HASH, which enables direct update/finish calls to hardware.

2. Caches updates and only uses hardware on final.

You can see this code in wolfcrypt/src/port/pic32/pic32mz-crypt.c. In Harmony sources its in HarmonyFramework/crypt/src.

Let me know if that makes a difference for you or not. If not please let me know the cipher suite and TLS version being used. If possible also enable debugging using DEBUG_WOLFSSL and calling wolfSSL_Debugging_ON();.

Thanks,
David Garske, wolfSSL

Go to forum: wolfCrypt