You are not logged in. Please login or register.
Please post questions or comments you have about wolfSSL products here. It is helpful to be as descriptive as possible when asking your questions.
ReferenceswolfSSL - Embedded SSL Library → Posts by dgarske
Hi harish.reddy,
There is not enough data there to determine that information. Typically the AES GCM IV is 12 bytes. Typically the AES GCM Auth Tag is 16 bytes. Typically the AES GCM Encrypted data is a multiple of block size (16 bytes).
https://github.com/wolfSSL/wolfssl/blob … aes.h#L110
Thanks,
David Garske, wolfSSL
Hi naveen,
Thanks for your interest in our library. The project sounds interesting. Overall its pretty easy, since its all c code and GPLv2.
See these resources:
* wolfSSL Porting Guide: https://www.wolfssl.com/docs/porting-guide/
* wolfSSL FAQ: https://www.wolfssl.com/docs/frequently … tions-faq/
Let us know if you have any issues or questions.
Thanks,
David Garske, wolfSSL
Hi ENOTTY,
The BIO_write expects WOLFSSL_BIO_SSL for an SSL socket write. Have you tried setting up a BIO with that type?
We have some BIO enhancements in the queue. See this pull request: https://github.com/wolfSSL/wolfssl/pull/2462
Thanks,
David Garske, wolfSSL
Hi pm_vnct,
Your steps for certificate and key generation look correct. The DER format should be loaded with the `WOLFSSL_FILETYPE_ASN1` option as you are doing. The -4 option is `WOLFSSL_BAD_FILETYPE`, which would happen if the format was invalid.
Here is how the use private key buffer call should look:
wolfSSL_CTX_use_PrivateKey_buffer(ctx, buff, (long)sz, WOLFSSL_FILETYPE_ASN1);For the connection to work you also need the peer to load the CA as trusted using the wolfSSL_CTX_load_verify_buffer API. You will also need to load the client certificate using wolfSSL_CTX_use_certificate_buffer.
Thanks,
David Garske, wolfSSL
Hi coco21,
We've started a dialog with Hex-Five here: https://github.com/hex-five/multizone-s … /issues/65
Feel free to join the discussion.
Thanks,
David Garske, wolfSSL
Hi coco21,
Make sure:
1. Your Makefile/build script defines the `WOLFSSL_USER_SETTINGS` macro (CFLAGS="-DWOLFSSL_USER_SETTINGS"). This will make sure the user_settings.h configuration is included and the same build configuration is used.
2. You include <wolfssl/wolfcrypt/settings.h> in your application code prior to any other wolfSSL headers.
Thanks,
David Garske, wolfSSL
Hi coco21,
Thanks for the issue report.
The user_settings.h https://github.com/hex-five/multizone-s … ngs.h#L218 has `HAVE_FFDHE_4096` set, which would require `FP_MAX_BITS` = 4096*2 or 8192.
Options are:
1. Comment out `HAVE_FFDHE_4096` to disable 4096-bit DH support.
2. Change `FP_MAX_BITS` to 8192.
We'll make sure this gets fixed in the HexFive demo.
Thanks,
David Garske, wolfSSL
Hi pm_vnct,
You are on the right track. If you register IO callbacks using `wolfSSL_CTX_SetIORecv` and `wolfSSL_CTX_SetIOSend`, then return `WOLFSSL_CBIO_ERR_WANT_READ` or `WOLFSSL_CBIO_ERR_WANT_WRITE` it will go up to the original caller wolfSSL_connect, wolfSSL_read or wolfSSL_write. This allows you to check for the return code, do other work and call again.
Here is an example for using the callbacks with want read/write:
https://github.com/wolfSSL/wolfssl-exam … callback.c
Here is an example for non-blocking:
https://github.com/wolfSSL/wolfssl-exam … ing.c#L136
Thanks,
David Garske, wolfSSL
Hi harish.reddy,
Can you also tell us a bit about the build environment you are using such as compiler, IDE and RTOS?
I'm guessing you are building the sources directly. Make sure you have added the wolfssl-root to your include path. All our code include references the root. `CFLAGS="-I<wolfssl-root>"`. For build configuration I recommend defining `WOLFSSL_USER_SETTINGS` and having your own `user_settings.h` file. You can find a good article for this here:https://www.wolfssl.com/how-do-i-manage-the-build-configuration-of-wolfssl/
Thanks,
David Garske, wolfSSL
Hi harish.reddy,
We have a good AES CBC example here, which can be adopted to GCM:
https://github.com/wolfSSL/wolfssl-exam … -encrypt.c
Our AES GCM wolfCrypt test is here:
https://github.com/wolfSSL/wolfssl/blob … st.c#L7225
Thanks,
David Garske, wolfSSL
Hi rndtk9,
The certificate chain presented by peer should have server cert first, then intermediates, then root.
From src/ssl.c line 4779:
/* Chain should have server cert first, then intermediates, then root.
* First certificate in chain is processed below after ProcessUserChain
* and is loaded into ssl->buffers.certificate.
* Remainder are processed using ProcessUserChain and are loaded into
* ssl->buffers.certChain. */
Thanks,
David Garske, wolfSSL
Hi Kit,
The call to generate an ECC shared secret uses an encrypted channel with requires a paired encryption key. The default wolfSSL examples use `atmel_get_enc_key_default`, which is all 0xFF's. You should override this function with your own implementation and key. This can be done at build-time using `ATECC_GET_ENC_KEY`.
If you'd like to use a different slot for the ephemeral key generation you can override at build time with macro `ATECC_SLOT_ECDHE_PRIV` or at runtime by registering a slot allocator using `atmel_set_slot_allocator`.
You can test if its the encryption key by replacing the `atcab_ecdh_enc` with `atcab_ecdh` in `atmel_ecc_create_pms`.
Also the ATECC chips have a watchdog that will occur if the chip isn't put into idle state when done. You'll notice calls to `atcab_idle` in our wolfcrypt/port/atmel/atmel.c to resolve this.
Feel free to email us directly at support@wolfssl.com with your user_settings.h and logs. These emails get directed into our ZenDesk system and I'll make sure and grab the incoming ticket.
Thanks,
David Garske, wolfSSL
Hi TonyM,
The TPM 2.0 specification uses the term "evict" to indicate desire to perist a key into a permanent handle. Example for Native is here:
https://github.com/wolfSSL/wolfTPM/blob … est.c#L638
The wolfTPM wrapper has lots of code examples for doing this here:
https://github.com/wolfSSL/wolfTPM/blob … ap.c#L1190
https://github.com/wolfSSL/wolfTPM/blob … est.c#L199
Most TPM's only have room for about 8 permanent keys. Another option is to use the output from TPM2_Create or TPM2_CreatePrimary, which is encrypted and store that on your device (with more storage) then use TPM2_Load to put into a temporary handle.
Thanks,
David Garske, wolfSSL
Hi faberge,
Thanks for your interest in wolfSSL! It sounds like you are 99% of the way there.
The call to read 5 bytes is to get the TLS header, which indicates the total size of the TLS packet. So the next read will be the remainder of the TLS packet. Perhaps you can share a bit more about the code used in your read and write callbacks? You can find our default IO callback functions here: https://github.com/wolfSSL/wolfssl/blob … io.c#L194.
Make sure you are properly handling a non-blocking case, which you would need to return `WOLFSSL_CBIO_ERR_WANT_READ`.
Another common pitfall (depending on your transport layer) is some stacks require getting the entire packet in which case you'd need to cache the remainder of the TLS packet for the read after the 5 byte header.
If you still need help debugging this please provide debug logs, wireshark trace and code snippets for review. If you'd like to keep those private you can email us directly at support@wolfssl.com and reference this forum link.
Thanks,
David Garske, wolfSSL
Hi Peter,
Thanks for the excellent question! We are working on an enhancement right now to add the ability to chunk large publish messages being sent. The engineer working on this is Eric B. He will be following up with you shortly.
Thanks,
David Garske, wolfSSL
Hi Paul,
We will look into supporting this feature. I've started an email thread with another engineer. Your code may be valid, but wolfSSL doesn't yet support the serial number as part of the multi-attrib.
Thanks,
David Garske, wolfSSL
Hi ePaul,
The code changes to use multi-attrib for serial number are not valid. In fact the serial number field is different all-together and is not encoded into a CSR.
If you'd like to have a unique identifier in the certificate typically that goes into one of the subject fields such as common name. The only valid mult-attrib fields are: ASN_ORGUNIT_NAME and ASN_DOMAIN_COMPONENT.
Example here:
https://github.com/wolfSSL/wolfssl/blob … st.c#L8564
If you are going to use the multi-attrib fields then make sure the csr.c `CertName myCertName` is not const (I see you made it static above, which is fine).
Thanks,
David Garske, wolfSSL
Hi ePaul,
We've pushed an example for using large data with PKCS 7 sign/verify here:
https://github.com/wolfSSL/wolfTPM/pull/32
Thanks,
David Garske, wolfSSL
Hi ePaul,
We recently enhanced PKCS7 to support signing a large file using a computed hash and known total size. The wolfSSL pull request is here: https://github.com/wolfSSL/wolfssl/pull/1780
This works by computing the hash and providing it to the new wc_PKCS7_EncodeSignedData_ex API. It returns a header and footer that surrounds the original data.
I will post a wolfTPM example for using this shortly.
Thanks,
David Garske, wolfSSL
Hi Paul,
The CSR should not contain a serial number. The serial number is assigned by the CA when it gets signed.
I will however take a look at your example and see if there is an issue that needs fixed around CSR gen with serial number provided.
Thanks,
David Garske, wolfSSL
Hi ePaul,
You can do whichever is easier for you.
To clone the branch use:
git clone https://github.com/wolfSSL/wolfssl.git
cd wolfssl
git fetch origin pull/1805/head:fix_csr
git checkout fix_csr
Thanks,
David Garske, wolfSSL
Hi ePaul,
Thanks for the bug report. I was able to reproduce your issue and identiy the cause. I've pushed a wolfSSL fix for this issue here (https://github.com/wolfSSL/wolfssl/pull/1805). It was a new issue that happened after we added some additional fields to support BusinessUnit.
I'm located in PDT (UTC -7).
Thanks,
David Garske, wolfSSL
Hi Ehsan,
The RSA key generation is a very intensive operation. Even on a top end Intel i7 part is takes almost 1 second. Generating an RSA 2048-bit key requires two 256 byte prime numbers. It requires a large amount of RNG data. I suspect it appears to hang, but its still running.
Example:
./configure --enable-keygen && make
./wolfcrypt/benchmark/benchmark -rsa-kg
wolfCrypt Benchmark (block bytes 1048576, min 1.0 sec each)
RSA 1024 key gen 8 ops took 1.058 sec, avg 132.305 ms, 7.558 ops/sec
RSA 2048 key gen 3 ops took 2.862 sec, avg 954.070 ms, 1.048 ops/sec
Thanks,
David Garske, wolfSSL
Hi ePaul,
To build you'll need to use:
./configure --enable-certgen --enable-certreq --enable-certext --enable-pkcs7 --enable-cryptodev --enable-opensslextra=x509small CFLAGS="-DTIME_T_NOT_LONG -DWOLFSSL_MULTI_ATTRIB"
make
sudo make install
sudo ldconfig
Thanks,
David Garske, wolfSSL
Hi ePaul,
To resolve the build error in our api.c unit test you can build with the `./configure CFLAGS="-DTIME_T_NOT_LONG"` option. This uses a 32-bit time type.
For the wolfTPM question on creating a Certificate Signing Request you can find the complete example here:
https://github.com/wolfSSL/wolfTPM/blob … /csr/csr.c
Let us know if you have any other issues or questions.
Thanks,
David Garske, wolfSSL
wolfSSL - Embedded SSL Library → Posts by dgarske
Powered by PunBB, supported by Informer Technologies, Inc.
Generated in 0.026 seconds (79% PHP - 21% DB) with 4 queries