1

(3 replies, posted in wolfSSL)

Hi artur

Glad to be able to help!

Thanks for the confirmation,
Sean :-)

2

(3 replies, posted in wolfSSL)

Hi artur,

The issue that debug is trying to show is that the server doesn't have an ECC key or certificate.
Please try the following server command line:

./example/server/server -l TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 -c ./certs/server-ecc-rsa.pem -k ./certs/ecckey.pem

Alternatively, if you are using ECC for all certificates in the chain, then this pair of command lines show the use:

./example/server/server -l TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 -c ./certs/server-ecc.pem -k ./certs/ecckey.pem
./example/client/client -l TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 -A ./certs/ca-ecc-cert.pem

Note that, by default, the client and server will use RSA keys and certificates.
These command lines are explicitly loading ECC keys and certificates. If you compile out RSA, then ECC keys and certificates are used by default.

Let us know if this works for you.

Sean

--
Sean Parkinson, wolfSSL
Senior Software Engineer

3

(4 replies, posted in wolfCrypt)

Hi Alex,

As my colleague David explained, there are multiple versions of ECIES supported through the wc_ecc_decrypt API.

The original ECIES algorithm required the public key created during encrypt to be sent to the peer OOBs.

Recently, support was added for common standards.
These standards have the public key included in the message.
There is no need to pass the public key in for these implementations.
If an ecc_key object is passed in then it will have the public key decoded into it though.

Sean Parkinson, wolfSSL

4

(11 replies, posted in wolfSSL)

Hi Alex,

David asked me if I had any thoughts on this.

ECIES is about securely sending a message from the client to the server.
The client uses a server's public, along with an ephemeral key, to create a secret that becomes the encryption key for an algorithm like AES.
Only the owner of the private key corresponding to the public key used can decrypt the message.
The client does not know who the public key is for unless PKI is used.
The server does not know who the client is.

PKI is used to authenticate the owner of the public key.
A certificate wraps the public key with information that identifies the server and the a chain of certificate is used to authenticate the certificate up to a root of trust. The root of trust is a known trusted certificate.

From your postings, you want to authenticate the client.
Creating an ephemeral key and signing is not going to allow the server to authenticate the client.
Any client can send a message with any ephemeral key.
PKI, using certificates, should be used again to authenticate the client's public key.

Does any of this help?

Sean Parkinson, wolfSSL

5

(6 replies, posted in wolfSSL)

Hi Scotty2541

The file sp_int.h has been updated in the latest master.

Please let me know if the changes help.

Thanks,
Sean

--
Sean Parkinson, wolfSSL
Senior Software Engineer

6

(2 replies, posted in wolfSSL)

Hi Christos,

It appears you want to replace our internal format of the ticket data.
CreateTicket() is where this is created and DoClientTicket() processes the internal data.

You will need to modify these functions to handle the format that you need.

Sean

Hi Christos,

I'd be interested to hear about you new key exchange mode!

The function that creates the NewSessionTicket is SendTls13NewSessionTicket() and the function that parses it is DoTls13NewSessionTicket() in wolfssl/src/tls13.c

Key exchange modes are handled on the server in DoPreSharedKeys() in wolfssl/src/tls13.c.

Try calling wolfSSL_set_group_messages() and this will send fewer messages which may then line up the packets sent with what you expect.
Detailed logging can be produced with wolfSSL TLS 1.3 with WOLFSSL_DEBUG_TLS.
Note you will need to enable logging output.

Sean
--
Sean Parkinson, wolfSSL

8

(12 replies, posted in wolfMQTT)

Hi Remy,

I'm not sure what's going wrong here.
The function Pkcs11EcKeyGen() is calling Pkcs11GetEccPublicKey() which will fail when the key doesn't load.
Does your version of wc_pkcs11.c have this call sequence?

Note: WOLFSSL_DEBUG_PKCS11 will show more debug information about the PKCS #11 calls.

Thanks,
Sean Parkinson, wolfSSL

Hi @CGH

OK. I know what I was doing wrong now.
Let me know which cipher suite you are using.
Please use AES-GCM if possible.

I did successfully connect to and get a page from api.tomtom.com:443 on Linux with the cipher suite ECDHE-RSA-AES128-SHA.

Sean
--
Sean Parkinson, wolfSSL
Senior Software Engineer

Hi @CGH,

I'm surprised that it isn't using TLS 1.2!
The client method only allows use of the TLS 1.2 protocol.
I'll have to think on this.

Have you replaced the HMAC or hash implementation with a hardware one?

Sean

--
Sean Parkinson, wolfSSL
Senior Software Engineer

Hi @CGH,

MaskMac returning a non-zero value is a failure result.
Therefore, the return of -1 is correct.

I'm not sure why MaskMac would fail. I did a quick test on Linux and it worked.
The MaskMac function is comparing 'expMac' with the MAC in 'data'.
There should be padding at the end of 'data' and before that the MAC.
The padding is a repeated byte that is the length of the padding. If you can't see the padding then maybe the decryption failed.

Note that TimingPadVerify is used with TLS 1.1 and new applications should be using TLS 1.2 as it is newer and more secure.
Try using TLS 1.2 and let me know if that works for you.

Sean
--
Sean Parkinson, wolfSSL
Senior Software Engineer

Hi @CGH,

Looking at the code, good will be zero when everything works.
That means that the bits are flipped and good will be all 1s.
Then good is reduced down to a single bit and therefore will have a value of 1.
Therefore ret is unchanged when things work.

Can you confirm that good is 0 before negation and that good is 0 before subtracting from 1?
Also, can you give me a context in which you are testing? That is, which client/servers are using.

Thanks,
Sean
--
Sean Parkinson, wolfSSL
Senior Software Engineer

Hi SamSam

Thanks for reporting this issue!
The default maximum ticket size as Kaleb has said was 4 bytes and needs to be 8 bytes.
This was chosen based on interoperability testing and that it doesn't really need to be a bigger than that!
The TLS 1.3 specification allows for the nonce to be up to 255 bytes.
I've put up a pull request, #1973, that changes the maximum to 8 bytes. I was able to connect to the i0.wp.com website.
The pull request will be merged into master soon.

Thanks,
Sean

--
Sean Parkinson, wolfSSL

Hi @jskier,

The problem is likely to be the difference in support for TLS 1.3 in wolfSSL and the browser.
Try configuring wolfSSL with --enable-wolfssl-tls13-draft23.
This will have wolfSSL use the Draft 23 version of the TLS 1.3 protocol which should be supported by the browsers.

- Sean