426 Reply by chrisc

(7 replies, posted in wolfSSL)

Hi Nitay,

Section 9.4 of the wolfSSL Manual (http://www.yassl.com/yaSSL/Docs-cyassl- … esign.html) talks a little about wolfSSL's thread safety.  Have you looked through that?

wolfSSL is generally thread safe, but reading from or writing to the same WOLFSSL object with multiple threads at one time is not supported.  You'll need to protect calls to wolfSSL_read() and wolfSSL_write() on the same WOLFSSL object with a mutex or similar to avoid more than one thread trying to call it simultaneously.

Best Regards,
Chris

Go to forum: wolfSSL

427 Reply by chrisc

(11 replies, posted in wolfSSL)

Thanks for the extra info Nitay.  I'll give this a try with your info on my end today and let you know what I find.

Thanks,
Chris

Go to forum: wolfSSL

428 Reply by chrisc

(2 replies, posted in wolfSSL)

You can also pass V=1 to make itself, ie:

./configure
make V=1

Go to forum: wolfSSL

429 Reply by chrisc

(5 replies, posted in wolfSSL)

Hi Yun,

Can you try defining NO_64BIT when building wolfSSL and let me know if it helps?

Thanks,
Chris

Go to forum: wolfSSL

430 Reply by chrisc

(2 replies, posted in wolfSSL)

Hi Rahul,

You should be able to do a verbose build by passing the --verbose option to gcc using C_EXTRA_FLAGS during the ./configure step.  Like so:

./configure C_EXTRA_FLAGS="--verbose"

crti.o: No such file: No such file or directory

This looks like an error coming from somewhere else besides wolfSSL.  wolfSSL doesn't have a file called crti.c.  A quick Google search looked like it was related to building gcc itself.

Best Regards,
Chris

Go to forum: wolfSSL

431 Reply by chrisc

(1 replies, posted in wolfSSL)

Hi Frank,

What are the two cipher suites which you need to support?  Do you need threading support?  Do you need filesystem support?  With that info, there may be more I can help you eliminate.

On a desktop compiler, the footprint size you are seeing looks fairly normal.  On an embedded system being compiled with an embedded compiler (Keil, IAR, optimized gcc cross-compiler, etc.), we typically see a full wolfSSL build come in around 60kB.  Do you have the maximum compiler optimizations turned on for size?

Our smallest build possible is called "leanPSK".  Code size when using the LeanPSK build (--enable-leanpsk) can be as low as 20kB.  The LeanPSK build supports only TLS 1.2, SHA-1, SHA-256, and PSK (pre-shared keys).  Everything else (RSA, ARC4, MD5, DTLS, SSLv3, etc.) is disabled in order to try and get the footprint size as small as possible.

Best Regards,
Chris

Go to forum: wolfSSL

432 Reply by chrisc

(1 replies, posted in wolfSSL)

Hi Frank,

SSL_MODE_AUTO_RETRY isn't needed when using wolfSSL.  By default, when I/O operations are blocking and the handshake is being performed, the call will only return once the handshake has completed or an error occurred.

Best Regards,
Chris

Go to forum: wolfSSL

433 Reply by chrisc

(1 replies, posted in wolfSSL)

Hi Giancarlo,

WolfSSL embedded SSL only compresses at the application data level.  We implemented support for compression before a standard was finalized.  As such, we chose a non-standard number for ZLIB_COMPRESSION.  The specific number of 221 just being personal preference of the programmer.

Best Regards,
Chris

Go to forum: wolfSSL

434 Reply by chrisc

(1 replies, posted in wolfSSL)

Hi Rahul,

Thanks for the inquiry.  I just sent you an email with details.

Best Regards,
Chris

Go to forum: wolfSSL

435 Reply by chrisc

(11 replies, posted in wolfSSL)

Hi Nitay,

I just tried downloading wolfSSL 2.6.0 from Windows 7 x64, using Google Chrome 27.0.1453.94 m.  It worked for me.  Can you try again to make sure you're still not able to download? 

Is there any additional information you can give me about the situation?  What URL are you downloading from? What links did you click on to get to the download page?  Does it work on IE in Windows?

Thanks,
Chris

Go to forum: wolfSSL

436 Reply by chrisc

(5 replies, posted in wolfSSL)

Hi Yun,

What processor and environment are you using wolfSSL with?  Have you defined SIZEOF_LONG and SIZEOF_LONG_LONG to match those of your platform/compiler?

Thanks,
Chris

Go to forum: wolfSSL

437 Reply by chrisc

(11 replies, posted in wolfSSL)

Nitay,

Ok, thanks for letting me know.  Let me try it on Windows 7 x64 and I'll get back to you with my findings.

Thanks,
Chris

Go to forum: wolfSSL

438 Reply by chrisc

(4 replies, posted in wolfSSL)

Hi Dan,

By default, wolfSSL maps XMALLOC(), XFREE(), and XREALLOC() to wolfSSL_Malloc(), wolfSSL_Free(), and wolfSSL_Realloc() respectively, in wolfssl/ctaocrypt/types.h:

/* default C runtime, can install different routines at runtime via cbs */  
#include <wolfssl/ctaocrypt/memory.h>                                        
#define XMALLOC(s, h, t)     ((void)h, (void)t, wolfSSL_Malloc((s)))         
#define XFREE(p, h, t)       {void* xp = (p); if((xp)) wolfSSL_Free((xp));}  
#define XREALLOC(p, n, h, t) wolfSSL_Realloc((p), (n))

The way this is set up allows the user application to register their own memory functions at runtime via the memory callbacks that wolfSSL provides, but defaults to just using malloc(), free(), and realloc() if no custom memory functions have been registered.  For example, wolfSSL_Malloc(), which is used by default, is located in ctaocrypt/src/memory.c:

void* wolfSSL_Malloc(size_t size)                                                
{                                                                               
    void* res = 0;                                                              
                                                                               
    if (malloc_function)                                                        
        res = malloc_function(size);                                            
    else                                                                        
        res = malloc(size);                                                     
        #ifdef WOLFSSL_MALLOC_CHECK                                              
            if(res == NULL)                                                     
                err_sys("wolfSSL_malloc")  ;                                 
        #endif                                                                  
                                                                                
    return res;                                                                 
}

Best Regards,
Chris

Go to forum: wolfSSL

439 Reply by chrisc

(11 replies, posted in wolfSSL)

Nitay,

I just tested the download form on Chrome 27.0.1453.93 on OS X 10.6.8 and it seemed to be working correctly.  What OS/version are you using?

I just sent you an email containing the wolfSSL 2.6.0 package, but it would be nice to figure out why our download form isn't working for you as well.

Thanks,
Chris

Go to forum: wolfSSL

440 Reply by chrisc

(11 replies, posted in wolfSSL)

HI Nitay,

What browser and URL are you using to try and download wolfSSL?  Are you using the following link:
http://yassl.com/yaSSL/download/downloadForm.php

Thanks,
Chris

Go to forum: wolfSSL

441 Reply by chrisc

(1 replies, posted in wolfSSL)

Hi,

The error you are seeing is caused by the fastmath library being enabled by default when building wolfSSL.  wolfSSL supports both the fastmath and normal big integer libraries.  fastmath is enabled by default because it provides better performance in general over the big integer library for public key operations (RSA, DH, DSA, etc.).

To solve this problem, see the README entry for wolfSSL 2.6.0:

wolfSSL Release 2.6.0 (04/15/2013)

Release 2.6.0 wolfSSL has bug fixes and new features including:
...
- ./configure builds default to fastmath option
    * Note, if on ia32 and building in shared mode this may produce a problem
      with a missing register being available because of PIC, there are at least
      5 solutions to this:
      1) --disable-fastmath , don't use fastmath
      2) --disable-shared, don't build a shared library
      3) C_EXTRA_FLAGS=-DTFM_NO_ASM , turn off assembly use
      4) use clang, it just seems to work
      5) play around with no PIC options to force all registers being open

Can you try one of these options to see if your problem is resolved?

Thanks,
Chris

Go to forum: wolfSSL

442 Reply by chrisc

(4 replies, posted in wolfSSL)

Hi Frank,

I could use RsaPublicEncrypt() but I have no means of using RSA_PKCS1_OAEP_PADDING padding.

Correct, for the RsaPublicEncrypt() function, wolfSSL currently uses PKCS #1 v1.5 padding from RFC 2313 (http://tools.ietf.org/html/rfc2313).  We haven't added support for RSA-OAEP padding as of this point.  Do you need OAEP padding or are you able to use RsaPublicEncrypt() with PKCS #1 v1.5 padding?

he compatibility layer of the ssl portion is almost a 100% job done. really excellent.
But when it comes to the area of crypto, there is really a lot of work to be done.

Traditionally we have offered the OpenSSL compatibility layer for those people porting applications from OpenSSL over to wolfSSL - allowing them to keep many of the same functions in their application code.  The compatibility layer contains about 300 of the most commonly used OpenSSL functions.  As there are over 4,000 OpenSSL functions, this layer does slowly grow as additional projects use it while porting over from OpenSSL to wolfSSL.

Best Regards,
Chris

Go to forum: wolfSSL

443 Reply by chrisc

(4 replies, posted in wolfSSL)

Hi Frank,

What's your overall goal that you are trying to accomplish in your application regarding RSA keys?  There may be an easier way to accomplish it using the wolfSSL API.

What should be the format of the key supplied to RsaPublicKeyDecode()? PEM or DER ?

The input key to RsaPublicKeyDecode() needs to be in DER format, correct.  wolfSSL embedded SSL does provide a function called CyaSSL_KeyPemToDer() to convert a PEM-encoded key to DER format.  You can also use the OpenSSL command line tool to easily convert a PEM-encoded RSA key to DER format.  You would do something similar to:

openssl rsa -inform PEM -in mykey.pem -outform DER -out mykey.der

I am also of the impression that RsaPublicKeyDecode() in wolfSSL can be be a replacement for PEM_read_bio_RSAPublicKey() or d2i_RSAPublicKey() in openssl without any issues since wolfSSL provides openssl compatibility layer for only private key rsa private key operations

RsaPublicKeyDecode() decodes a public RSA key from DER format into an internal RsaKey structure.

I couldn't find any function in wolfSSL for encoding public keys.

If wolfSSL is compiled with key generation (--enable-keygen or define WOLFSSL_KEY_GEN), wolfSSL provides the RsaKeyToDer() function which will convert an internal RsaKey to a DER-encoded buffer.  Is this similar to what you are looking for?

Best Regards,
Chris

Go to forum: wolfSSL

444 Reply by chrisc

(1 replies, posted in wolfSSL)

Hi Frank,

Thanks for looking at using wolfSSL embedded SSL.  Do you mind if I ask what kind of application you are working on?

Do you need to use the OpenSSL API, or would it work to use the native wolfSSL/wolfCrypt API?

As you noted, wolfSSL provides AesSetKeyDirect() and AesCtrEncrypt() to be used for AES-CTR encryption.  The AesCtrEncrypt() function looks like:

void AesCtrEncrypt(Aes* aes, byte* out, const byte* in, word32 sz)

aes is a pointer to the Aes object (or "context") being used for the given AES encrypt operation.  in is a pointer to your input data, of size sz.  The AES-CTR encrypted data is then placed into the buffer pointed to by out.

Although wolfSSL does have the wolfSSL_EVP_aes_128_ctr() function in its OpenSSL compatibility layer, it is currently just a stub.

Best Regards,
Chris

Go to forum: wolfSSL

445 Reply by chrisc

(5 replies, posted in wolfSSL)

Hi Yun,

For performance, we usually recommend configuring wolfSSL to use the fastmath library instead of the normal big integer library.  To do so, you can either use the "--enable-fastmath" ./configure option or define USE_FAST_MATH.

USE_FAST_MATH switches the big integer library to a faster one that uses assembly if possible.  fastmath will speed up public key operations like RSA, DH, and DSA.  The big integer library is generally the most portable and generally easiest to get going with, but the negatives to the normal big integer library are that it is slower and it uses a lot of dynamic memory.  Because the stack memory usage can be larger when using fastmath, we recommend defining TFM_TIMING_RESISTANT as well when using this option.

Best Regards,
Chris

Go to forum: wolfSSL

446 Reply by chrisc

(1 replies, posted in wolfSSL)

Hi Philhippus,

You can concatenate several certificates into a single .pem file, yes.  When done this way, wolfSSL embedded SSL will load all the certificates in the file as trusted certificates.

Best Regards,
Chris

Go to forum: wolfSSL

447 Reply by chrisc

(7 replies, posted in wolfSSL)

X-log,

Just for reference, FP_MAX_BITS can also be set at compile time as a define.  This will let you avoid manually changing the wolfSSL sources, and make upgrading to newer versions of wolfSSL easier.

Regards,
Chris

Go to forum: wolfSSL

448 Reply by chrisc

(4 replies, posted in yaSSL (Deprecated) [READ ONLY])

Satish,

The certificates and keys in our yaSSL CVS repository have now been updated.  You can find the yaSSL CVS repository on Sourceforge at the following URL:

https://sourceforge.net/projects/yassl/

Best Regards,
Chris

Go to forum: yaSSL (Deprecated) [READ ONLY]

449 Reply by chrisc

(4 replies, posted in yaSSL (Deprecated) [READ ONLY])

Hi Satish,

Are you downloading CyaSSL from this link?

http://yassl.com/yaSSL/download/downloadForm.php

If so, can you let me know what browser/version you are using to download?

Thanks,
Chris

Go to forum: yaSSL (Deprecated) [READ ONLY]

450 Reply by chrisc

(1 replies, posted in wolfSSL)

Hi,

Thanks for bringing this to our attention.  The "(void)outLen" lines were put in place to fix a compiler warning related to unused variables. 

Can you let us know what compiler you are using (and if you are turning on any non-standard settings) so we can check for other potential areas where this may happen?

Thanks,
Chris

Go to forum: wolfSSL