1

(7 replies, posted in wolfSSL)

Hello,
I really appreciate your help, thank you very much.

This issue,  if I understand it, a little bit different.

I've tried to test ECDHE_ECDSA cipher suites with SHA384 hash algorithm and tried to remove sha256.o from the build by NO_SHA256 define. That didn't work due to asn.c/asn.h.

If I try ECDHE_PSK_..._SHA384 cipher suites I still can't make a build without sha256.o due to asn.h.

The problem is, that if I want only SHA384 in my cipher suites I can't remove SHA256 from the build.
Probably, it somehow related to enabling ECC, as I don't remember such a problem when I was trying DHE_RSA_..._SHA384 cipher suites.

Best regards.

2

(7 replies, posted in wolfSSL)

Hello,

I'm back to the office and can definitely say that asn.h is needed while using ECC.
asn.h requires sha256.h, thus NO_SHA256 can't be defined.

If I want to use certificates, by removing NO_CERTS define, I need to add asn.o to the build and still can't define NO_SHA256 because of the above reason and that asn.c have calls to sha256.c functions.

Best regards.

3

(6 replies, posted in wolfSSL)

Hello,

I'm a programmer from a small company "Xdimax LTD" in Israel.
Thanks for your great support.

Best regards.

4

(7 replies, posted in wolfSSL)

Hello,

Sorry, more likely I'm mistaken.
As I understand, the need for asn.o is coming from certificate usage.

But the problem still remains.

Best regards.

5

(7 replies, posted in wolfSSL)

Hello,
Thanks Kaleb for the reply,

I do have the following defines:
#define WOLFSSL_STM32F2
#define WC_NO_HASHDRBG
#define CUSTOM_RAND_GENERATE_BLOCK(OUT,SZ) wc_GenerateSeed(NULL,OUT,SZ)

But it seems I cannot add ecc.o to the build without asn.o as ecc needs some asn functionality like DecodeAuthKeyId, DecodeSubjKeyId, ParseCertRelative, etc...

Or maybe I'm missing something?

Best regards.

6

(7 replies, posted in wolfSSL)

Hello,

If I need to add asn.o to my build and I have NO_SHA256 define (I have WOLFSSL_SHA512 & WOLFSSL_SHA384 instead) I get a lot of errors from asn.c and asn.h files regarding SHA256 part.

As I understand it, the ASN module can't be used without SHA256. Here are some examples:

#ifdef NO_SHA
    ret = wc_Sha256Hash(&cert->source[idx], length + cert->srcIdx - idx, hash);
#else
    ret = wc_ShaHash(&cert->source[idx], length + cert->srcIdx - idx, hash);
#endif

#ifdef NO_SHA
    KEYID_SIZE          = SHA256_DIGEST_SIZE,
#else
    KEYID_SIZE          = SHA_DIGEST_SIZE,
#endif

Is there a way to get rid from SHA256?

Best regards.

7

(6 replies, posted in wolfSSL)

Hello,
Thank you for the reply.

We are manufacturing controller devices for home automation, that are running on STM32F217 with 512KB ROM and 128KB RAM. The devices have lots of functionality and we're very close to the end of memory (ROM and RAM). Every device has an option to connect to our server, the connection have to be secured.

We don't have some crucial build size and stack usage requirements from SSL module and we understand that there is some tradeoff between security level and memory footprint. Our approach is to choose several ciphers and make the lowest footprint possible for each. Only then we will be able to decide what cipher, and as a result what build, suites the best our need.

Currently I'm tasked to test TLS_ECDHE_PSK_... cipher as it allows to disable the certificate part of the code and reduce the footprint by a good amount. By investigating the code I found the options to disable ECC sign/verify/key_import/key_export, but,
as I've described in the first post, I get errors during compilation.

So, if I understood correctly, at this moment if defining HAVE_ECC the sign/verify/key_import/key_export options cannot be excluded from the build and these four defines are not allowed to be used?

Thanks in advance.
Best regards.

8

(6 replies, posted in wolfSSL)

Hello,

Some insight on the matter, please.
As I understand, the defines:
    #define NO_ECC_SIGN
    #define NO_ECC_VERIFY
    #define NO_ECC_KEY_IMPORT
    #define NO_ECC_KEY_EXPORT
have to exclude these undefined functions call from the code, but it doesn't happen.

Thanks in advance.
Best regards.

9

(6 replies, posted in wolfSSL)

Hello,

I'm trying to make a minimum footprint for ECC build.
The cipher I want to test is : TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256

Thus, regarding the ECC, I've defined:
    #define HAVE_ECC
    #define ECC_USER_CURVES /* Will use default ECC256 size */
    #define NO_ECC_SIGN
    #define NO_ECC_VERIFY
    #define NO_ECC_KEY_IMPORT
    #define NO_ECC_KEY_EXPORT

When trying to compile I get a lot of errors in internal.c and asn.c files:
    undefined reference to `wc_ecc_verify_hash'
    undefined reference to `wc_ecc_sign_hash'
    undefined reference to `wc_ecc_import_x963_ex'
    undefined reference to `wc_ecc_export_x963'
    undefined reference to `wc_ecc_import_private_key_ex'

For this project I have two more defines that may be related to the topic:
    #define NO_CERTS
    #define NO_WOLFSSL_SERVER

Are there more options I need to disable/enable to make it work?

Best regards.

10

(6 replies, posted in wolfSSL)

Hello,

Thanks, David.
It seems OK.
Thank you for the help.

Best regards.

11

(6 replies, posted in wolfSSL)

Hello,
Thanks for the fast reply.

I had working application with wolfSSL-3.9.10 and was able to use various ciphers with AES_GCM.
With the new 3.12.0 version I can use AES_CBC instead, but that's not what I need.

Best regards.

12

(6 replies, posted in wolfSSL)

Hello again,

Some update on the issue.
According to STM32F4 reference manual this function (CRYP_AES_GCM) is available only for STM32F42xxx and STM32F43xxx processors. It's not available for other STM32F4 series, as they don't have GCM algorithm mode implemented in HW.
And, as I understand, it's not available for STM32F2 series as well.

Best regards.

13

(6 replies, posted in wolfSSL)

Hello,

When trying to compile wolfSSL to my project I get an error in aes.c file pointing to CRYP_AES_GCM function.
I have the latest standard peripheral library for STM32F2 and it seems the function don't exist in the library, it exist in STM32F4 library though.
Am I doing something wrong?

Thank in advance.
Best regards.

14

(7 replies, posted in wolfSSL)

Hello dgarske,
I'm very grateful for your help.
Thanks a lot.
Best regards.

15

(7 replies, posted in wolfSSL)

Thank, dgarske, for the response,

My application communicates only with my server.
On some stage of the development we decided to use SHA384.
That means we won't use SHA256 for sure.
My task for now is to make minimum footprint possible.

As I understand CUSTOM_RAND_GENERATE_BLOCK and STM32F2_RNG can't be combined.
So, my option is: #define CUSTOM_RAND_GENERATE_BLOCK(in, out) wc_GenerateSeed(NULL, in, out)

Am I right? Will it work?

Best regards.

16

(7 replies, posted in wolfSSL)

Hello,
Some insight on the matter?
Why do I need it (I mean CUSTOM_RAND_GENERATE_BLOCK) as I already have random block generator function?
Best regards.

17

(7 replies, posted in wolfSSL)

Thank a lot for the fast reply,
My project runs on STM32F2, so I have the WOLFSSL_STM32F2 define, that on its own defines STM32F2_RNG.
Thus I have int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz); func adjusted to my processor hardware.
Do I still need to define CUSTOM_RAND_GENERATE_BLOCK?
Best regards.

18

(7 replies, posted in wolfSSL)

Hello,
I compile wolfSSL directly to my project, my defines in user_settings.h give me three ciphers to work with:
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256

So far it works good, without any issues.

Now I want to use SHA384, thus I added two more defines to my user_settings.h:
#define NO_SHA256 //I don't need any more this option in my ciphers
#define WOLFSSL_SHA384 //I want only SHA384 in my ciphers
And, of cause, I removed sha256.o and added sha512.o to the build.

But it seems I cannot do it this way, the errors I receive:

Compiling file: ../wolfssl-3.9.10/src/ssl.c ..................
In file included from ../wolfssl-3.9.10/wolfssl/internal.h:33:0,
from ../wolfssl-3.9.10/src/ssl.c:35:
../wolfssl-3.9.10/wolfssl/wolfcrypt/random.h:63:10: error: #error "Hash DRBG requires SHA-256."
#error "Hash DRBG requires SHA-256."
^
In file included from ../wolfssl-3.9.10/wolfssl/internal.h:47:0,
from ../wolfssl-3.9.10/src/ssl.c:35:
../wolfssl-3.9.10/wolfssl/wolfcrypt/asn.h:143:27: error: 'SHA256_DIGEST_SIZE' undeclared here (not in a function)
KEYID_SIZE = SHA256_DIGEST_SIZE,
^
In file included from ../wolfssl-3.9.10/wolfssl/internal.h:66:0,
from ../wolfssl-3.9.10/src/ssl.c:35:
../wolfssl-3.9.10/wolfssl/wolfcrypt/hmac.h:100:23: error: 'SHA384_DIGEST_SIZE' undeclared here (not in a function)
MAX_DIGEST_SIZE = SHA384_DIGEST_SIZE,
^
../wolfssl-3.9.10/wolfssl/wolfcrypt/hmac.h:101:23: error: 'SHA384_BLOCK_SIZE' undeclared here (not in a function)
HMAC_BLOCK_SIZE = SHA384_BLOCK_SIZE
^
../wolfssl-3.9.10/wolfssl/wolfcrypt/hmac.h:129:9: error: unknown type name 'Sha384'
Sha384 sha384;
^
In file included from ../wolfssl-3.9.10/src/ssl.c:35:0:
../wolfssl-3.9.10/wolfssl/internal.h:2654:5: error: unknown type name 'Sha384'
Sha384 hashSha384; /* sha384 hash of handshake msgs */
^
Makefile:72: recipe for target '_output/ssl.o' failed
make: *** [_output/ssl.o] Error 1

In order to make it work I have to remove NO_SHA256 define, add WOLFSSL_SHA512 define and add sha256.o to the build.

Is there a possibility to have SHA384 without SHA256 and SHA512 as it adds unwanted ciphers and more code.

Thanks for the help.