You are not logged in. Please login or register.
Please post questions or comments you have about wolfSSL products here. It is helpful to be as descriptive as possible when asking your questions.
ReferenceswolfSSL - Embedded SSL Library → Posts by dgarske
Hi SunnySunday,
It's been added in PR https://github.com/wolfSSL/wolfssl/pull/7995 and should be merged shortly. It will be in the next release planned in a few weeks.
Can you tell us more about your project and use-case involving connection ID with DTLS v1.2? Feel free to email support at wolfssl dot com if you'd like to keep it confidential.
Thanks,
David Garske, wolfSSL
Hi Riker,
The error -229 means the RSA signature verification failed. It could mean the public key presented doesn't match the private key used. It could also be that it's an RSA key size that is not enabled. For example using RSA 4096-bit might require setting SP_INT_BITS 4096. Or perhaps it's trying to use an older SHA-1 or a new SHA2/SHA3 that is not enabled.
Can you share more of the logs or wirehshark? Can you tell us more about the hardware platform running wolfSSH client? Can you share the build settings used for wolfCrypt and wolfSSH?
Thanks,
David Garske, wolfSSL
Hi Rickou,
Congratulations! I am happy to hear you got it working. Let us know if anything else comes up.
Thanks,
David Garske, wolfSSL
Hi Rickou,
That's odd. Is it the same version of the CubeMX HAL for AES? Are you using the same AES GHASH build options, example: GCM_SMALL or GCM_TABLE_4BIT? The actual AES GCM test happens later. If it also fails then you might check to make sure the clock for the AES peripheral is enabled (__HAL_RCC_AES_CLK_ENABLE();).
Thanks,
David Garske, wolfSSL
Hi Rickou,
GMAC is the integrity portion of AES GCM and can be used like a hashing function. I suspect you won't need GMAC, but I will investigate the root cause with AES GCM HW crypto.
Can you share me your build settings to try and reproduce? With the CubeMX generated code the settings are usually in a wolfSSL/wolfSSL.I-CUBE-wolfSSL_conf.h.
Thanks,
David Garske, wolfSSL
Hi Rickou,
This issue was fixed in PR https://github.com/wolfSSL/wolfssl/pull/7787 on July 29, 2024.
Please confirm you are using the latest master or patch your code with this PR.
If you continue to have any issues please let us know.
Thanks,
David Garske, wolfSSL
Hi All,
As a followup to this topic, we did add support for getting the endorsement keys/certificates. You can find an example here:
https://github.com/wolfSSL/wolfTPM/tree … ndorsement
The answer to all of these is yes, but it does vary by TPM manufacture.
Let me know if you have any questions after reviewing the new example and endorsement (EK) support.
Thanks,
David Garske, wolfSSL
The memory use is lower for Single Precision (SP) math implementations, which is why using WOLFSSL_HAVE_SP_RSA resolves it for you. It also defaults to using math variables from stack, unless WOLFSSL_SMALL_STACK is used (then it comes from heap.
Thanks, David Garske, wolfSSL
Hi Leon,
I've transferred this incident to our internal Zendesk system. This will enable a better channel for communicating the details to help us reproduce and fix.
Thanks,
David Garske, wolfSSL
Hi Daniel,
Your use case sounds very interesting and is one we do support. The handshake operations taking the most time are the cryptographic ones for asymmetric operations like shared secret and sign/verify. If you are using an ECC only cipher suite like ECDHE-ECDSA then you can enable our non-blocking crypto with TLS and break operations into much smaller chunks.
When the non-blocking build option is enabled the crypto calls will return WC_PENDING_E and you would just call the wolfSSL_connect/wolfSSL_accept API's again until complete.
This does require our asynchronous code from https://github.com/wolfssl/wolfAsyncCrypt.
We posted a nice blog on it here: https://www.wolfssl.com/wolfssl-bare-me … yptography
This use case is supported and used by many customers. However it might be useful to setup a call to walk you through it and hear about your use case. We will be emailing you directly to reach out.
Thanks,
David Garske, wolfSSL
Hi Leon,
Thank you for this report. Can you provide a Wireshark track of this and steps to reproduce? Does this happen with both TLS v1.2 and TLS v1.3?
Please confirm the wolfSSL client version you are using and which TLS server (if possible). It is also nice to get the logs with --enable-debug (DEBUG_WOLFSSL) and calling wolfSSL_Debugging_ON();.
Can you tell us a bit about your project and where you are located?
Thanks,
David Garske, wolfSSL
Hi Eduardo,
I am not aware of any issues generating the configuration files. Can you confirm you have both wolfSSL and wolfTPM cube packs installed and selected/enabled?
https://www.wolfssl.com/files/ide/I-CUBE-wolfTPM.pack
https://www.wolfssl.com/files/ide/I-CUBE-wolfSSL.pack
Both packs should generate their own conf files using these templates:
https://github.com/wolfSSL/wolfTPM/blob … t_conf.ftl
https://github.com/wolfSSL/wolfssl/blob … t_conf.ftl
Can you tell me more about your project and use-case? I can't attach files here, but you can send an email to support at wolfssl dot com to use our ZenDesk system to get support. I can send you examples of the generated files.
Thanks,
David Garske, wolfSSL
Hi Eduardo,
I think you are seeing wolfTPM include wolfCrypt because we require it by default. We have Cube packs for both wolfSSL(wolfCrypt) and wolfTPM. wolfSSL(wolfCrypt) creates wolfSSL/wolfSSL.I-CUBE-wolfSSL_conf.h and wolfTPM creates wolfTPM/wolfSSL.I-CUBE-wolfTPM_conf.h.
If you want to use wolfTPM stand-alone you can disable the wolfCrypt support using WOLFTPM2_NO_WOLFCRYPT, however
you won't be able to do parameter encryption or import external private keys.
Thanks,
David Garske, wolfSSL
Hi Eduardo,
Thanks for your interest in using our STM32 Cube pack for wolfTPM. I assume you generated the IAR project using the CubeMX tool? The tool is supposed to add a pre-processor macro `USE_HAL_DRIVER` to your project. If not please add it. Then it will use the generated configuration file `wolfSSL.I-CUBE-wolfTPM_conf.h`.
For reference wolfssl/options.h is a file generated from ./configure or CMake, which you are not using.
Can you tell us more about your project?
Thanks,
David Garske, wolfSSL
Hi Pulkit,
Thanks for the question and talk this morning. You had WOLFSSL_SMALL_STACK defined and the HMAC struct was exceeding the available heap. The -125 error means an XMALLOC failed. Make sure you have all the SHA algorithms disabled that you do not need, leaving just SHA2-256 enabled. I also recommend removing WOLFSSL_SMALL_STACK in your case and increasing just the stack space in the linker script. Please let us know if you have any further issues.
Thanks,
David Garske, wolfSSL
Hi Arto,
Thank you for your interest in wolfBoot on the STM32. Which STM32 part are you trying to evaluate for?
We have automated testing that builds and runs most of the supported targets, so I am surprised you had issues. I will specifically try and reproduce the STM32G0 and STM32F4 issues.
We provide example configurations in config/examples that are good starting points, but typically you need some customizing for your specific part. The test-apps are really just for testing to demonstrate and can be useful for showing how to adjust your application to support the signed image header.
We will also reach out directly as we'd like to here about your project and how we can support you.
Thanks,
David Garske, wolfSSL
Hi Info61,
Please make sure you also init/update the submodules. We use a git submodule for the wolfCrypt files required for the signing tools
git submodule init
git submodule update
Thanks,
David Garske, wolfSSL
Hi Thomas,
Correct. The buckets and number of buckets can be overridden at build-time. See https://github.com/wolfSSL/wolfssl/blob … mory.h#L99
The buckets `WOLFMEM_BUCKETS` and number of buckets `WOLFMEM_MAX_BUCKETS` can all be setup for your specific implementation.
I don't have a good template for the buckets with RSA. I would recommend logging the mallocs() using `WOLFSSL_DEBUG_MEMORY` to see what your heap profile looks like. Then setup buckets of appropriate size. The buckets are buffer pools are various sizes. If the next available size is not available it will select the next largest.
Thanks,
David Garske, wolfSSL
Hi Thomas,
Can you try changing the RSA init to:
wc_InitRsaKey(&rsaPubKey, hint);?
Have you tried using a larger static memory pool? These get split into buckets so you won't have a large enough buffer. See WOLFMEM_BUCKETS. See https://www.wolfssl.com/docs/static-buffer-allocation/
Thanks,
David Garske, wolfSSL
Hi MO380,
Was your LWIP already working previously? That appears to be an internal LWIP issue. Have you properly configured LWIP NATIVE?
Have you tried without WOLFSSL_LWIP_NATIVE defined, which uses the LWIP POSIX interfaces (connect/send/recv/close).
Thanks,
David Garske, wolfSSL
Hi MO380,
Your build options likely have WOLFSSL_USER_IO set, which requires you setup your own callbacks using wolfSSL_CTX_SetIOSend and wolfSSL_SSLSetIORecv.
Try removing WOLFSSL_USER_IO and adding WOLFSSL_LWIP_NATIVE. Or if you have the LWIP POSIX layer enabled, you can just use our default POSIX ones by not defining WOLFSSL_LWIP_NATIVE.
Thanks,
David Garske, wolfSSL
Hi Patrick,
Yes that is a known issue and already fixed. You would need to update your wolfSSL. The latest is v5.6.6. You might be able to just pull over sp_cortexm.c if you are opposed to a full update.
Thanks,
David Garske, wolfSSL
Hi Patrick,
Can you confirm which API you are calling? Is it `wc_ecc_mulmod`? What ECC curve are you using?
If its one of the wc_ecc_mulmod and its one of the standard NIST prime curves like SECP256R1 then you can enable the Single Precision math speedups for Cortex M0 in sp_armthumb.c by defining the following build options:
WOLFSSL_HAVE_SP_ECC
WOLFSSL_SP_ARM_THUMB_ASM
WOLFSSL_SP_SMALL
WOLFSSL_SP_NO_MALLOC (optional)
This should provide a very significant speedup.
Thanks,
David Garske, wolfSSL
Hi ZLam,
Thanks for your questions. Can you tell me where you are located and more about your project?
The TPM has endorsements key(s) and certificate(s) provisioned by the manufacture. See: https://trustedcomputinggroup.org/resou … ished-pdf/
It varies by manufacture, but it is typically ECC and RSA. There is a place in NV to get the signed certificate elements. We support using the endorsement key for a few things in wolfTPM: https://github.com/wolfSSL/wolfTPM/blob … edential.c
We will soon be adding support for extracting the EK certificate(s) as well.
You can see some of the EK certificate support in the IBM TSS stack here: https://github.com/kgoldman/ibmtss/blob … /ekutils.c
Thanks,
David Garske, wolfSSL
Hi,
Would you mind trying with the latest wolfTPM v3.1.0 cube pack?
https://www.wolfssl.com/files/ide/wolfS … 3.1.0.pack
Thanks,
David Garske, wolfSSL
wolfSSL - Embedded SSL Library → Posts by dgarske
Powered by PunBB, supported by Informer Technologies, Inc.
Generated in 0.063 seconds (86% PHP - 14% DB) with 4 queries