You are not logged in. Please login or register.
Please post questions or comments you have about wolfSSL products here. It is helpful to be as descriptive as possible when asking your questions.
ReferenceswolfSSL - Embedded SSL Library → Posts by dgarske
Hi DanielGruber,
We can reproduce the issue and are working on a fix. Once it is available I will post a link here shortly.
Thanks,
David Garske, wolfSSL
Hi DanielGruber,
Thanks for the detailed report for wolfMQTT and multithreading. I will see if I can reproduce and resolve.
David Garske, wolfSSL
Hi ashetty,
Those functions are "internal" as defined by `WOLFSSL_LOCAL`, which tells the compiler not to export them via wolfssl/wolfcrypt/visilbility.h "#define WOLFSSL_LOCAL __attribute__ ((visibility("hidden")))".
Is there a reason you aren't using a public API like: `wolfSSL_get_cipher_list`, `wolfSSL_get_ciphers`, `wolfSSL_get_ciphers_iana`?
If you really want to expose the internal API's you'll need to un-define HAVE_VISIBILITY or un-define BUILDING_WOLFSSL.
Thanks,
David Garske, wolfSSL
Hi yighax2,
Check out our wolfssl-examples repo. We have a few examples that will help you with this:
https://github.com/wolfSSL/wolfssl-exam … -callbacks
https://github.com/wolfSSL/wolfssl-exam … master/tls
See the "-callback" TLS examples
These use our custom IO callbacks, which are set using:
wolfSSL_CTX_SetIORecv(ctx, my_IORecv);
wolfSSL_CTX_SetIOSend(ctx, my_IOSend);
You can also set a custom pointer context using:
wolfSSL_SetIOReadCtx(ssl, &recvCtx);
wolfSSL_SetIOWriteCtx(ssl, &sendCtx);
You can build with `WOLFSSL_USER_IO` to disable the internal "socket" handling and require use of these IO callbacks.
Thanks,
David Garske, wolfSSL
Hi isnipenow,
See the `wc_RsaPublicKeyDecode` function.
Out wolfssl-examples repository has many examples:
https://github.com/wolfSSL/wolfssl-exam … rify.c#L85
Documentation:
https://www.wolfssl.com/doxygen/group__ … 35bda1f728
Thanks,
David Garske, wolfSSL
Hi pbreed,
Thanks for the forum question. You can also use our support@wolfssl.com ZenDesk system for faster responses.
Can you describe how you are building wolfSSL? Internally we have mutex protection if threading is enabled.
If the --enable-singlethreaded option is set or SINGLE_THREADED is defined then threading is not supported.
Thanks,
David Garske, wolfSSL
Hi noahh0123,
Try setting the RNG for the RsaKey using:
int wc_RsaSetRNG(RsaKey* key, WC_RNG* rng)
See the following:
https://github.com/wolfSSL/wolfssl-exam … h-sign-rsa
https://www.wolfssl.com/forums/topic111 … -data.html
David Garske, wolfSSL
Hi burakkirazli,
It depends on the algorithms enabled/used and the FP_MAX_BITS you have defined. The ECC and RSA algorithms use fast math.
Typically during a TLS connection you'll have several of these on the stack. I recommend starting with 10KB of stack and then looking at your stack high watermark to determine how much to reduce.
For RSA the FP_MAX_BITS is double the maximum key size. For RSA 2048-bit requires double max bits so 4096. If you have just ECC defined than FP_MAX_BITS can be ECC max key size + 32. For both RSA and ECC you can reduce ECC stack usage by defining ALT_ECC_SIZE, which will use heap for the ECC point instead of stack.
We have some good examples for configuration the math library cases here:
https://github.com/wolfSSL/wolfssl/blob … settings.h
Thanks,
David Garske, wolfSSL
Hi burakkirazli,
Thanks for letting us know the fix was due to not having XREALLOC / realloc implemented correctly when using the normal math.
David Garske, wolfSSL
Hi burakkirazli,
Error -142 is `ASN_GETINT_E`. Happening on call to `wc_RsaPublicKeyDecode`. My best guess is you heap allocation failed when trying to parse the RSA certificate from the peer. Check your heap space and either make more available or switch to a stack based math by defining USE_FAST_MATH. It might be helpful to look at this example user_settings.h file, which describes many build options. https://github.com/wolfSSL/wolfssl/blob … settings.h
Thanks,
David Garske, wolfSSL
Hi bsda_dev,
I compared the generated wolfssl/options.h using ./configure and ./configure --enable-tls13 and the resulting build option differences are:
#define WOLFSSL_TLS13
#define HAVE_TLS_EXTENSIONS
#define HAVE_SUPPORTED_CURVES
#define WC_RSA_PSS
#define HAVE_HKDFI am surprised that server method would work and allow TLSv1.2, since it should not allow downgrade unless you are using the wolfSSLv23_server_method. Please also share your Wireshark trace. If you want to submit directly to our support email support@wolfssl.com and reference this forum post.
Thanks,
David Garske, wolfSSL
Hi burakkirazli,
Looks like the TLS server did not like something in the client_hello and sent back an alert 40 (handshake_failure). Can you describe more about the server and what build options you are using? Perhaps you can send a Wireshark trace and print a run-time list of enabled cipher suites?
#ifndef WOLFSSL_CIPHER_LIST_MAX_SIZE
#define WOLFSSL_CIPHER_LIST_MAX_SIZE 4096
#endif
static void ShowCiphers(void)
{
char ciphers[WOLFSSL_CIPHER_LIST_MAX_SIZE];
int ret = wolfSSL_get_ciphers(ciphers, (int)sizeof(ciphers));
if (ret == WOLFSSL_SUCCESS)
printf("%s\n", ciphers);
}Thanks,
David Garske, wolfSSL
Hi burakkirazli,
See "Date BEFORE check failed" message above. The -150 error (from wolfssl/wolfcrypt/error-crypt.h) "ASN_BEFORE_DATE_E = -150, /* ASN date error, current date before */".
Your RTC time is not setup properly, so the certificate date check is failing. Here are the possible solutions:
1. Setup your RTC correctly via the XTIME macros. Example here: https://github.com/wolfSSL/wolfssl/blob … ngs.h#L449
2. Override the date error in the verify callback (see this example: https://github.com/wolfSSL/wolfssl/blob … t.h#L1721)
3. Disable all certificate date checking by disabling NO_ASN_TIME. Do note that this will allow expired certificates to be used.
Thanks,
David Garske, wolfSSL
Hi burakkirazli,
If you don't have socket error codes for EWOULDBLOCK or EAGAIN then why are you using the WOLFMQTT_NONBLOCK build option?
Perhaps can explain more about your use case and socket library being used?
Thanks,
David Garske, wolfSSL
Hi burakkirazli,
Thanks for your report. I pushed a fix into PR 135 here (https://github.com/wolfSSL/wolfMQTT/pull/135). Please give it a try and let me know if this works.
Thanks,
David Garske, wolfSSL
Hi burakkirazli,
You must run the example from the wolfssl-root like:
./examples/echoserver/echoserver
Also you can find some simple TLS examples in our wolfssl-examples repo here:
https://github.com/wolfSSL/wolfssl-examples
Thanks,
David Garske, wolfSSL
Hi Cookie,
Have you seen our simple TLS examples in our wolfssl-examples repo?
https://github.com/wolfSSL/wolfssl-exam … master/tls
The -345 NO_PEER_CERT error indicates the peer did not present a certificate. See the wolfSSL_CTX_set_verify API for setting the verify options for the peer certificate.
Thanks,
David Garske, wolfSSL
Thanks,
David Garske, wolfSSL
Hi JMG,
You can find the RISC-V examples here:
https://github.com/wolfSSL/wolfssl/tree … PSE/SIFIVE
https://github.com/wolfSSL/wolfssl/tree … /IDE/RISCV
Also I just put up a PR to consolidate the RISC-V information into IDE/RISCV here:
https://github.com/wolfSSL/wolfssl/pull/2490
Thanks,
David Garske, wolfSSL
Hi Kvkhekale,
Also make sure you have the arm-none-eabi-gcc-8.3.1/bin directory in your path.
Thanks,
David Garske, wolfSSL
Hi kvhekale,
Try using something like this:
export WOLFSSL_PREFIX="`pwd`/../build"
./configure \
--host=arm-none-eabi \
CFLAGS="-mcpu=cortex-m0 --specs=nano.specs -DNO_WOLFSSL_DIR -DWOLFSSL_USER_IO -DNO_WRITEV" \
--prefix=$WOLFSSL_PREFIX/wolfssl-m0-baremetal \
--disable-examples
make
make installThanks,
David Garske, wolfSSL
Hi i.fedotov,
The PIC32MZ does not allow two hardware hashing operations to happen at the same time. We have two versions of the hardware crypto. Some of the TLS operations required overlapping update/final. Make sure you do not have WOLFSSL_PIC32MZ_LARGE_HASH defined.
1. Enabled with WOLFSSL_PIC32MZ_LARGE_HASH, which enables direct update/finish calls to hardware.
2. Caches updates and only uses hardware on final.
You can see this code in wolfcrypt/src/port/pic32/pic32mz-crypt.c. In Harmony sources its in HarmonyFramework/crypt/src.
Let me know if that makes a difference for you or not. If not please let me know the cipher suite and TLS version being used. If possible also enable debugging using DEBUG_WOLFSSL and calling wolfSSL_Debugging_ON();.
Thanks,
David Garske, wolfSSL
Hi Naveen,
By default we have threading support enabled and defaults to pthread. You can define NO_FILESYSTEM to disable it.
I recommend setting up your own build configuration file called "user_settings.h" and defining a single global pre-processor macro WOLFSSL_USER_SETTINGS. Then you can manage all your build settings in one place. In your user application make sure you include wolfssl/wolfcrypt/settings.h before any other wolf headers. We have a section on this in the FAQ link previously sent.
Thanks,
David Garske, wolfSSL
Hi naveen,
Our wolfSSL/wolfCrypt library does not have any references to "getcwd". Can you provide additional details as to where you are seeing that error? It sounds like a C stdlib issue with the ardupilot project and your compiler.
Thanks,
David Garske, wolfSSL
Hi EricDOS,
For measuring sizes of shared objects you might try the size command:
./configure --enable-leantls && make
size ./src/.libs/libwolfssl.dylib
__TEXT __DATA __OBJC others dec hex
262144 4096 0 36864 303104 4a000Thanks,
David Garske, wolfSSL
Hi EricDOS,
How are you measuring the code size? If you are just looking at the shared DLL size that has overhead for symbols, which aren't there in a static build. Also most of the size optimization occurs at link-time with the final application. Try using --disable-shared and use the static library with your application.
Can you tell us more about the target and application? We have many options for tuning, but it helps to know the CPU and RTOS.
The fast math library should be about the same size, but it uses stack for math variables instead of heap. The fast math library also support assembly optimizations.
You might also check our --enable-leantls option in ./configure.ac, which has many additional options for reducing code size. See https://github.com/wolfSSL/wolfssl/blob … re.ac#L637
You can find a good reference document here:
https://github.com/wolfSSL/wolfssl/tree … ng-options
If you are looking to boost performance you can try our `--enable-sp=small` option, which provides optimized code for specific keys and curve. This will not reduce code size.
Thanks,
David Garske, wolfSSL
wolfSSL - Embedded SSL Library → Posts by dgarske
Powered by PunBB, supported by Informer Technologies, Inc.
Generated in 0.030 seconds (73% PHP - 27% DB) with 5 queries