You are not logged in. Please login or register.
Please post questions or comments you have about wolfSSL products here. It is helpful to be as descriptive as possible when asking your questions.
ReferenceswolfSSL - Embedded SSL Library → Posts by dgarske
Hi Bijak Dawid,
Perhaps you can share your code, so I can attempt to reproduce with wolfTPM? Does the tpm2-tools sequence work correctly? If you'd like to keep your code private you can email support at wolfssl dot com.
The most similar examples are probably:
* examples/nvram/policy_nv.c
* examples/boot/secret_seal.c
Thanks,
David Garske, wolfSSL
Hi Chinmay,
I implemented some of your feedback in this PR: https://github.com/wolfSSL/wolfssl/pull/8488
In the background we will look at ways to reduce the code size for DTLS v1.3 only.
If you are only a server or client you can use the NO_WOLFSSL_SERVER and NO_WOLFSSL_CLIENT options to reduce code size.
Thanks,
David Garske, wolfSSL
Hi Chinmay,
Thanks for your interest in our DTLS v1.3 support.
1) You are correct, the build configuration options and template for the ST Cube Pack do not yet have DTLS v1.3.
The configuration template comes from: https://github.com/wolfSSL/wolfssl/blob … t_conf.ftl
For now you can manually add:
#define WOLFSSL_DTLS
#define WOLFSSL_DTLS13We will work on adding DTLS v1.3 to the template.
2) The DTLS v1.3 code requires DTLS and TLS v1.3 code (for now). Are you seeing an issue with code size? I have logged this as a feature request.
4) The option WOLF_CONF_TLS12 comes from the pack "STM32CubeMX/wolfSSL.I-CUBE-wolfSSL.5.7.6_Configs.xml" file. The GUI generates an option for this: `<Argument AddressOf="false" Comment="WOLF_CONF_TLS12" GenericType="simple" Name="WOLF_CONF_TLS12" OptimizationCondition="equal"/>`.
Thanks,
David Garske, wolfSSL
Hi Fred,
When you build wolfssl use ./configure --enable-wolfssh. That will include this `wc_SSH_KDF` API. Please let us know if that does not help. See: https://github.com/wolfSSL/wolfssh?tab= … pendencies
Thanks,
David Garske, wolfSSL
Hi Dennis,
Another reason for this could be missing SNI. Make sure you have enabled SNI (HAVE_SNI) and called the API to set the hostname.
See https://www.wolfssl.com/using-server-na … h-wolfssl/
Thanks,
David Garske, wolfSSL
Hi Dennis,
Are you able to capture a Wireshark for this? The client is sending a client_hello and the server is reporting back a handshake failure (40) and closing the socket. Who is the server? Perhaps the server requires TLS v1.3 and you don't have that enabled in your build options. Can you share how you built wolfSSL (user_settings.h file)?
It might be helpful to experiment with a simulator like https://github.com/dolphin-emu/dolphin first.
Thanks,
David Garske, wolfSSL
Hi SunnySunday,
Have you reviewed the instructions for setting up the environment here? https://github.com/wolfSSL/wolfssl/tree … CRYPTOCELL
That file should be part of the Nordic SDK.
Thanks,
David Garske, wolfSSL
Hi Mark,
This error with r7 is becuase the cortex-m uses it when building with debug. To get around this you can add
-fomit-frame-pointerto your CFLAGS.
I added a note in the STM32Cube pack README.md regarding this:
https://github.com/wolfSSL/wolfssl/tree … pack-usage
If seeing `error: r7 cannot be used in 'asm'` add `-fomit-frame-pointer` to the CFLAGS. This only happens in debug builds, because r7 is used for debug.
Thanks,
David Garske, wolfSSL
Hi SunnySunday,
It's been added in PR https://github.com/wolfSSL/wolfssl/pull/7995 and should be merged shortly. It will be in the next release planned in a few weeks.
Can you tell us more about your project and use-case involving connection ID with DTLS v1.2? Feel free to email support at wolfssl dot com if you'd like to keep it confidential.
Thanks,
David Garske, wolfSSL
Hi Riker,
The error -229 means the RSA signature verification failed. It could mean the public key presented doesn't match the private key used. It could also be that it's an RSA key size that is not enabled. For example using RSA 4096-bit might require setting SP_INT_BITS 4096. Or perhaps it's trying to use an older SHA-1 or a new SHA2/SHA3 that is not enabled.
Can you share more of the logs or wirehshark? Can you tell us more about the hardware platform running wolfSSH client? Can you share the build settings used for wolfCrypt and wolfSSH?
Thanks,
David Garske, wolfSSL
Hi Rickou,
Congratulations! I am happy to hear you got it working. Let us know if anything else comes up.
Thanks,
David Garske, wolfSSL
Hi Rickou,
That's odd. Is it the same version of the CubeMX HAL for AES? Are you using the same AES GHASH build options, example: GCM_SMALL or GCM_TABLE_4BIT? The actual AES GCM test happens later. If it also fails then you might check to make sure the clock for the AES peripheral is enabled (__HAL_RCC_AES_CLK_ENABLE();).
Thanks,
David Garske, wolfSSL
Hi Rickou,
GMAC is the integrity portion of AES GCM and can be used like a hashing function. I suspect you won't need GMAC, but I will investigate the root cause with AES GCM HW crypto.
Can you share me your build settings to try and reproduce? With the CubeMX generated code the settings are usually in a wolfSSL/wolfSSL.I-CUBE-wolfSSL_conf.h.
Thanks,
David Garske, wolfSSL
Hi Rickou,
This issue was fixed in PR https://github.com/wolfSSL/wolfssl/pull/7787 on July 29, 2024.
Please confirm you are using the latest master or patch your code with this PR.
If you continue to have any issues please let us know.
Thanks,
David Garske, wolfSSL
Hi All,
As a followup to this topic, we did add support for getting the endorsement keys/certificates. You can find an example here:
https://github.com/wolfSSL/wolfTPM/tree … ndorsement
The answer to all of these is yes, but it does vary by TPM manufacture.
Let me know if you have any questions after reviewing the new example and endorsement (EK) support.
Thanks,
David Garske, wolfSSL
The memory use is lower for Single Precision (SP) math implementations, which is why using WOLFSSL_HAVE_SP_RSA resolves it for you. It also defaults to using math variables from stack, unless WOLFSSL_SMALL_STACK is used (then it comes from heap.
Thanks, David Garske, wolfSSL
Hi Leon,
I've transferred this incident to our internal Zendesk system. This will enable a better channel for communicating the details to help us reproduce and fix.
Thanks,
David Garske, wolfSSL
Hi Daniel,
Your use case sounds very interesting and is one we do support. The handshake operations taking the most time are the cryptographic ones for asymmetric operations like shared secret and sign/verify. If you are using an ECC only cipher suite like ECDHE-ECDSA then you can enable our non-blocking crypto with TLS and break operations into much smaller chunks.
When the non-blocking build option is enabled the crypto calls will return WC_PENDING_E and you would just call the wolfSSL_connect/wolfSSL_accept API's again until complete.
This does require our asynchronous code from https://github.com/wolfssl/wolfAsyncCrypt.
We posted a nice blog on it here: https://www.wolfssl.com/wolfssl-bare-me … yptography
This use case is supported and used by many customers. However it might be useful to setup a call to walk you through it and hear about your use case. We will be emailing you directly to reach out.
Thanks,
David Garske, wolfSSL
Hi Leon,
Thank you for this report. Can you provide a Wireshark track of this and steps to reproduce? Does this happen with both TLS v1.2 and TLS v1.3?
Please confirm the wolfSSL client version you are using and which TLS server (if possible). It is also nice to get the logs with --enable-debug (DEBUG_WOLFSSL) and calling wolfSSL_Debugging_ON();.
Can you tell us a bit about your project and where you are located?
Thanks,
David Garske, wolfSSL
Hi Eduardo,
I am not aware of any issues generating the configuration files. Can you confirm you have both wolfSSL and wolfTPM cube packs installed and selected/enabled?
https://www.wolfssl.com/files/ide/I-CUBE-wolfTPM.pack
https://www.wolfssl.com/files/ide/I-CUBE-wolfSSL.pack
Both packs should generate their own conf files using these templates:
https://github.com/wolfSSL/wolfTPM/blob … t_conf.ftl
https://github.com/wolfSSL/wolfssl/blob … t_conf.ftl
Can you tell me more about your project and use-case? I can't attach files here, but you can send an email to support at wolfssl dot com to use our ZenDesk system to get support. I can send you examples of the generated files.
Thanks,
David Garske, wolfSSL
Hi Eduardo,
I think you are seeing wolfTPM include wolfCrypt because we require it by default. We have Cube packs for both wolfSSL(wolfCrypt) and wolfTPM. wolfSSL(wolfCrypt) creates wolfSSL/wolfSSL.I-CUBE-wolfSSL_conf.h and wolfTPM creates wolfTPM/wolfSSL.I-CUBE-wolfTPM_conf.h.
If you want to use wolfTPM stand-alone you can disable the wolfCrypt support using WOLFTPM2_NO_WOLFCRYPT, however
you won't be able to do parameter encryption or import external private keys.
Thanks,
David Garske, wolfSSL
Hi Eduardo,
Thanks for your interest in using our STM32 Cube pack for wolfTPM. I assume you generated the IAR project using the CubeMX tool? The tool is supposed to add a pre-processor macro `USE_HAL_DRIVER` to your project. If not please add it. Then it will use the generated configuration file `wolfSSL.I-CUBE-wolfTPM_conf.h`.
For reference wolfssl/options.h is a file generated from ./configure or CMake, which you are not using.
Can you tell us more about your project?
Thanks,
David Garske, wolfSSL
Hi Pulkit,
Thanks for the question and talk this morning. You had WOLFSSL_SMALL_STACK defined and the HMAC struct was exceeding the available heap. The -125 error means an XMALLOC failed. Make sure you have all the SHA algorithms disabled that you do not need, leaving just SHA2-256 enabled. I also recommend removing WOLFSSL_SMALL_STACK in your case and increasing just the stack space in the linker script. Please let us know if you have any further issues.
Thanks,
David Garske, wolfSSL
Hi Arto,
Thank you for your interest in wolfBoot on the STM32. Which STM32 part are you trying to evaluate for?
We have automated testing that builds and runs most of the supported targets, so I am surprised you had issues. I will specifically try and reproduce the STM32G0 and STM32F4 issues.
We provide example configurations in config/examples that are good starting points, but typically you need some customizing for your specific part. The test-apps are really just for testing to demonstrate and can be useful for showing how to adjust your application to support the signed image header.
We will also reach out directly as we'd like to here about your project and how we can support you.
Thanks,
David Garske, wolfSSL
Hi Info61,
Please make sure you also init/update the submodules. We use a git submodule for the wolfCrypt files required for the signing tools
git submodule init
git submodule update
Thanks,
David Garske, wolfSSL
wolfSSL - Embedded SSL Library → Posts by dgarske
Powered by PunBB, supported by Informer Technologies, Inc.
Generated in 0.023 seconds (71% PHP - 29% DB) with 4 queries