326 Reply by dgarske

(24 replies, posted in wolfSSL)

Hi ePaul,

You can do whichever is easier for you.

To clone the branch use:

git clone https://github.com/wolfSSL/wolfssl.git
cd wolfssl
git fetch origin pull/1805/head:fix_csr
git checkout fix_csr

Thanks,
David Garske, wolfSSL

Go to forum: wolfSSL

327 Reply by dgarske

(24 replies, posted in wolfSSL)

Hi ePaul,

Thanks for the bug report. I was able to reproduce your issue and identiy the cause. I've pushed a wolfSSL fix for this issue here (https://github.com/wolfSSL/wolfssl/pull/1805). It was a new issue that happened after we added some additional fields to support BusinessUnit.

I'm located in PDT (UTC -7).

Thanks,
David Garske, wolfSSL

Go to forum: wolfSSL

328 Reply by dgarske

(2 replies, posted in wolfCrypt)

Hi Ehsan,

The RSA key generation is a very intensive operation. Even on a top end Intel i7 part is takes almost 1 second. Generating an RSA 2048-bit key requires two 256 byte prime numbers. It requires a large amount of RNG data. I suspect it appears to hang, but its still running.

Example:

./configure --enable-keygen && make
./wolfcrypt/benchmark/benchmark -rsa-kg
wolfCrypt Benchmark (block bytes 1048576, min 1.0 sec each)
RSA     1024 key gen         8 ops took 1.058 sec, avg 132.305 ms, 7.558 ops/sec
RSA     2048 key gen         3 ops took 2.862 sec, avg 954.070 ms, 1.048 ops/sec

Thanks,
David Garske, wolfSSL

Go to forum: wolfCrypt

329 Reply by dgarske

(24 replies, posted in wolfSSL)

Hi ePaul,

To build you'll need to use:

./configure --enable-certgen --enable-certreq --enable-certext --enable-pkcs7 --enable-cryptodev --enable-opensslextra=x509small CFLAGS="-DTIME_T_NOT_LONG  -DWOLFSSL_MULTI_ATTRIB"
make
sudo make install
sudo ldconfig

Thanks,
David Garske, wolfSSL

Go to forum: wolfSSL

330 Reply by dgarske

(24 replies, posted in wolfSSL)

Hi ePaul,

To resolve the build error in our api.c unit test you can build with the `./configure CFLAGS="-DTIME_T_NOT_LONG"` option. This uses a 32-bit time type.

For the wolfTPM question on creating a Certificate Signing Request you can find the complete example here:
https://github.com/wolfSSL/wolfTPM/blob … /csr/csr.c

Let us know if you have any other issues or questions.

Thanks,
David Garske, wolfSSL

Go to forum: wolfSSL

331 Reply by dgarske

(3 replies, posted in wolfCrypt)

Hi AdoraKalb,

That sounds like an issue with not providing enough stack space to the FreeRTOS thread on the xTaskCreate. Try increasing the stack size for that task and let us know if that helps.

Thanks,
David Garske, wolfSSL

Go to forum: wolfCrypt

332 Reply by dgarske

(2 replies, posted in General Inquiries)

Hi kjjy,

The actual function name is `wc_EccKeyToDer`.
https://github.com/wolfSSL/wolfssl/blob … lic.h#L402

The old Cyassl used `EccKeyToDer` and is deprecated here:
https://github.com/wolfSSL/wolfssl/blob … blic.h#L71

To use this you must have ECC enabled:
`./configure --enable-ecc` or `#define HAVE_ECC`.

Thanks,
David Garske, wolfSSL

Go to forum: General Inquiries

333 Reply by dgarske

(2 replies, posted in General Inquiries)

Hi kjjy7,

If you are using ./configure you do not need to use user_settings.h. The ./configure outputs a build configuration file to wolfssl/options.h. You can use this file as a template for user_settings.h if you are building the sources directly (without ./configure).

If you are building sources directly then you can define WOLFSSL_USER_SETTINGS and add a user_settings.h file to your include path. There is an excellent template for this here: https://github.com/wolfSSL/wolfssl/blob … settings.h

Thanks,
David Garske, wolfSSL

Go to forum: General Inquiries

334 Reply by dgarske

(4 replies, posted in General Inquiries)

Hi kjjy7,

Try using the function `wolfSSL_get_state`. We also have an API `wolfSSL_state_string_long` which gets a string version of the current state.

We also have an internal TLS client state is in `ssl->options.clientState`. The possible values are here: https://github.com/wolfSSL/wolfssl/blob … al.h#L1428

Let us know if that is helpful or not.

Thanks,
David Garske, wolfSSL

Go to forum: General Inquiries

335 Reply by dgarske

(1 replies, posted in wolfSSL)

Hi lupusn00b,

The user_settings.h file is only used when `WOLFSSL_USER_SETTINGS` is defined and is usually used when building the wolfSSL/wolfCrypt sources directly. You asked about only having HMAC+SHA256. It looks like yours is disabling HMAC and SHA256. You should not have the NO_HMAC and NO_SHA256 defined. Also there are a bunch of other defines you'll want for disabling other algorithms.

Here is a good tip: When you run ./configure with your desired options it generates a file in `wolfssl/options.h`. You can use this file as a template for your user_settings.h.

Thanks,
David Garske, wolfSSL

Go to forum: wolfSSL

336 Reply by dgarske

(1 replies, posted in wolfSSL)

Hi Te,

Fix posted here: https://github.com/wolfSSL/wolfssl/pull/1689

Thanks.
David Garske, wolfSSL

Go to forum: wolfSSL

337 Reply by dgarske

(1 replies, posted in wolfMQTT)

Hi Giovanni,

Have you tried adding `-mlongcalls` to your CFLAGS and CXXFLAGS?

See forum post here:
https://www.esp32.com/viewtopic.php?t=1612

Thanks,
David Garske, wolfSSL

Go to forum: wolfMQTT

338 Reply by dgarske

(3 replies, posted in wolfSSL)

Hi Gil,

Yes you can disable DH if you are using ECC or a static cipher suite.

Thanks,
David Garske, wolfSSL

Go to forum: wolfSSL

339 Reply by dgarske

(1 replies, posted in wolfCrypt)

Hi leroyk2,

We have a fix pushed for this here:
https://github.com/wolfSSL/wolfssl/pull/1505

Specifically this line:
https://github.com/wolfSSL/wolfssl/pull … d4937R8575

You may find some of the other improvements in that PR useful as well for the STM32 with CubeMX.

Thanks,
David Garske, wolfSSL

Go to forum: wolfCrypt

340 Reply by dgarske

(1 replies, posted in wolfMQTT)

Hi Ed,

Thanks for the report of these issues. I've fixed the script for directory check. The double equal works on some platforms, but you are right the single equal is the best practice. Fix pushed here: https://github.com/wolfSSL/wolfMQTT/com … o?expand=1

Is the `~/ARDUINO`a standard location on all platforms? The example we built uses the `#include <wolfMQTT.h>` include. Where did you see the `wolfmqtt.h` case expected?

Thanks,
David Garske, wolfSSL

Go to forum: wolfMQTT

341 Reply by dgarske

(1 replies, posted in wolfSSL)

Hi Marco,

The return code from the verify callback allows an error to do overridden. By default the verify callback is only issued in the error case, unless you have `WOLFSSL_ALWAYS_VERIFY_CB` defined. You can use the `store->error` variable to determine the error reason (if one exists). A non-zero return code such a 1 or `WOLFSSL_SUCCESS` allows an error to be overridden. A return value of 0 means continue processing the error in the default way (fail).

For everyones reference the verify callback is set using: `wolfSSL_CTX_set_verify(ctx, WOLFSSL_VERIFY_PEER, myVerify);`

Here are some example implementations we use for internal testing of the verify callback:
https://github.com/wolfSSL/wolfssl/blob … st.h#L1361
https://github.com/wolfSSL/wolfssl/blob … st.h#L1404

Thanks,
David Garske, wolfSSL

Go to forum: wolfSSL

342 Reply by dgarske

(1 replies, posted in wolfMQTT)

Hi PeterL,

Thanks so much for the excellent bug report!

I've issued a fix for this here:
https://github.com/wolfSSL/wolfMQTT/pull/52

We should be doing a wolfMQTT release by the end of the month. This change will be included.

We are always curious how customers are using wolfMQTT and wolfSSL, so it would be great to hear from you by email at info@wolfssl.com.

Please feel free to ask additional questions anytime. You can also get support using support@wolfssl.com.

Thanks,
David Garske, wolfSSL

Go to forum: wolfMQTT

343 Reply by dgarske

(25 replies, posted in wolfSSL)

Hi olle,

We are looking into the DTLS 1.0 report. We see the CLIENT_HELLO retried even though the SERVER_HELLO is received. We believe this causes the DTLS sever to drop the connection since the second CLIENT_HELLO does not include the same packet information as the first request (its missing TLS extensions). We believe this may be a bug with our DTLS 1.0 code and we hope to have a fix available shortly. Thanks for your details report and we will provide you a followup soon.

Thanks,
David Garske, wolfSSL

Go to forum: wolfSSL

344 Reply by dgarske

(25 replies, posted in wolfSSL)

Hi olle,

The alert 40 is `handshake_failure`. That might indicate a PSK key error. What are you using for the server side? We'd like to setup a local test against the same DTLS server.

Have you seen our example PSK callback functions here?
https://github.com/wolfSSL/wolfssl/blob … st.h#L1082

Thanks,
David Garske, wolfSSL

Go to forum: wolfSSL

345 Reply by dgarske

(3 replies, posted in wolfSSL)

Hi jebrando,

To resolve this error you have two options:

1. Enable the hardening options `./configure --enable-harden`
2. Disable the hardening support using `./configure CFLAGS="-DWC_NO_HARDEN`

Thanks,
David Garske, wolfSSL

Go to forum: wolfSSL

346 Reply by dgarske

(10 replies, posted in wolfMQTT)

Hi zoomto.jitendra,

The net_pres_enc_glue.c is a generated file from the Harmony tool. Under the networking section you will find a net presentation checkbox.

The wolfmqtt_client example demonstrates your basic MQTT client features such as connect, subscribe and publish. The `wolfmqtt_firmware` project demonstrates using MQTT for a firmware update example.

Thanks,
David Garske, wolfSSL

Go to forum: wolfMQTT

347 Reply by dgarske

(3 replies, posted in wolfCrypt)

Hi Telina,

AES CBC mode requires the input to be block aligned. Generally the caller will need to add some type of padding to make sure its 16 byte aligned. It would be okay to just pad with zeros. Some people will pad with the pad count value.

AES CTR mode has a feature where the leftover bytes remain in the `Aes` object and are used on the next call.

You do bring up a good point about the wc_AesCbcEncrypt not checking for block size, however the wc_AesCbcDecrypt does. I'll bring this up with the team this week and let you know the reason for this or get a fix for it.

Thanks,
David Garske, wolfSSL

Go to forum: wolfCrypt

348 Reply by dgarske

(10 replies, posted in wolfMQTT)

Hi smitthhyy,

I am the author of the wolfMQTT library and did the integration into Harmony. I just downloaded the Harmony v2.05 to test it out. You must be having some include issues. The build error doesn't make sense to me since `mqtt_packet.h`defines `MqttMessage`, which is included just above in mqtt_client.h.

As for v0.10 in Harmony it looks like Microchip hasn't been updating the library, so I will ping them about getting it updated.

For now the best solution is to download the latest from us directly and replace it inside the Harmony `third_party/tcpip/wolfmqtt`.
https://github.com/wolfSSL/wolfMQTT
Then you'll have to re-generate your Harmony code. The README.md Kaleb provided explains how to do this.

Let me know if that is helpful or not. If you continue to get errors please email us at support@wolfssl.com and include the project for reference.

Thanks,
David Garske, wolfSSL

Go to forum: wolfMQTT

349 Reply by dgarske

(1 replies, posted in wolfCrypt)

Hi lalonde,

For the RSA using our signature wrapper `wc_SignatureGenerate` the type `WC_SIGNATURE_TYPE_RSA_W_ENC` adds ASN1 DER encoding which includes the OID around the signature. Both `WC_SIGNATURE_TYPE_RSA` and `WC_SIGNATURE_TYPE_RSA_W_ENC` using PKCS v1.5.

Thanks,
David Garske, wolfSSL

Go to forum: wolfCrypt

350 Reply by dgarske

(1 replies, posted in wolfCrypt)

Hi ravi.kumar,

To use the `TLS13-AES128-GCM-SHA256` cipher suite you must also enable AES GCM. Please try adding `--enable-aesgcm` to your ./configure options.

Another helpful tip is you can get a list of available cipher suites using:
./examples/client/client -e

You can get a list of ./configure commands using `./configure --help`.

Thanks,
David Garske, wolfSSL

Go to forum: wolfCrypt