476 Reply by chrisc

(1 replies, posted in wolfSSL)

Hi,

Thanks for the post.  Maybe we should look at differentiating the two or making a note in the documentation about these two projects being separate from each other.  Thanks for bringing this to our attention.

Best Regards,
Chris

Go to forum: wolfSSL

477 Reply by chrisc

(1 replies, posted in wolfSSL)

Hi,

Thanks for looking at wolfSSL for your project.  Regarding the NTRU license, I'll put you in contact with our business / licensing guys (using the email you registered on the forums with).

The SWIG bindings we currently include in our download don't yet have support for Java, so at the moment, you'd need to use wolfSSL's C API.

Best Regards,
Chris

Go to forum: wolfSSL

478 Reply by chrisc

(3 replies, posted in wolfSSL)

Dan,

Your understanding is correct in that if the SSL handshake has not been completed by wolfSSL_connect() or wolfSSL_accept(), the wolfSSL_read() and wolfSSL_write() calls will end up calling wolfSSL_negotiate(), which will try to complete the handshake - doing both reads and writes. 

If for example wolfSSL_read() ends up doing both writes and reads to finish the SSL handshake, they won't interfere with each other because they are in the same thread, right?

- Chris

Go to forum: wolfSSL

479 Reply by chrisc

(4 replies, posted in wolfSSL)

Hi,

Thanks for the report and for letting us know what worked for you.  When we put the example MQX project files together, we were using MQX 3.8 with a TWRK70F120M.  It looks like we'll have to update them for 4.0.  Thanks again for the note - I'll keep you updated on the status of this and what we find.

Thanks,
Chris

Go to forum: wolfSSL

480 Reply by chrisc

(3 replies, posted in wolfSSL)

Hi Dan,

It sounds like there are a couple of ways you could go about using wolfSSL embedded ssl in your application:

1.  If your application uses non-blocking sockets, you can just call wolfSSL_read() when data is available for reading and wolfSSL_write() when data is available to be written.  LwIP has a select() function which is designed for this purpose.  Using this method the calls shouldn't block each other since wolfSSL_read() and wolfSSL_write() would never block.

2.  You could use wolfSSL's default I/O callbacks with a mutex.  If your application didn't get the mutex until right before the wolfSSL_read() or wolfSSL_write() call, they wouldn't block each other.  If wolfSSL needed more data but it wasn't ready yet, wolfSSL_read() will return SSL_ERROR_WANT_READ while wolfSSL_write() would return SSL_ERROR_WANT_WRITE.

Best Regards,
Chris

Go to forum: wolfSSL

481 Topic by chrisc

(0 replies, posted in Announcements)

Researchers have found a new a new attack vector for TLS 1.1 and 1.2 protocol implementations, which wolfSSL has promptly fixed in its leading embedded TLS product with release 2.5.0 of the wolfSSL (formerly CyaSSL) library (https://www.wolfssl.com/wolfSSL/downloa … adForm.php).

In the paper "Lucky Thirteen: Breaking the TLS and DTLS Record Protocols" authors Nadhem AlFardan and Kenneth Paterson present a family of attacks that apply to CBC-mode for TLS (1.1 and 1.2) and DTLS (1.0 and 1.2). All of the attacks are based on a delicate timing analysis of the decryption processing needed in block mode. The various attacks are distinguishing, partial plaintext recovery, and full plaintext recovery in nature. All the attacks exploit the protocol when badly formatted padding is handled during processing. A MAC verification must still be performed on something to prevent existing timing attacks. The RFCs suggest using a zero-length pad which was thought to be safe, but these attacks show that it can be exploited.

There are a few ways to avoid the attack. Using stream ciphers is the simplest. Stream ciphers like ARC4, HC- 128, and RABBIT are not vulnerable because they don't use block mode and padding. HC-128 and RABBIT are unique to wolfSSL and also have the benefit of being extremely fast. Another way is to use Authenticated Encryption like AES-GCM and AES-CCM instead of block mode with CBC. wolfSSL includes several cipher suites utilizing Authenticated Encryption algorithms. Lastly, wolfSSL implemented the countermeasures suggested in the paper in version 2.5.0 to avoid timing attacks.

Founded in 2004, wolfSSL offers open-source, embedded security solutions that are fast, small, portable and standard compliant including wolfSSL, the C-language SSL library for embedded and RTOS environments; yaSSL, the embedded C++ SSL library; and yaSSL Embedded Web Server, a fast, embeddable, secure web server. Dual licensed, wolfSSL caters to the security applications in industrial automation, smart energy, surveillance, medical, military, telecommunications markets and the open-source community. Distributed worldwide, wolfSSL is headquartered in Bozeman, Montana.

wolfSSL Product Page:  https://www.wolfssl.com/wolfSSL/Products-wolfssl.html
wolfSSL Blog:  https://www.wolfssl.com/wolfSSL/Blog/Blog.html

Go to forum: Announcements

482 Topic by chrisc

(0 replies, posted in Announcements)

Release 2.5.0 of the CyaSSL lightweight SSL/TLS library has been released and is now available for download (http://yassl.com/yaSSL/download/downloadForm.php).  This release has bug fixes and new features including:

- Fix for TLS CBC padding timing attack identified by Nadhem Alfardan and Kenny Paterson: http://www.isg.rhul.ac.uk/tls/
- Microchip PIC32 (MIPS16, MIPS32) support
- Microchip MPLAB X example projects for PIC32 Ethernet Starter Kit
- Updated CTaoCrypt benchmark app for embedded systems
- 1024-bit test certs/keys and cert/key buffers
- AES-CCM-8 crypto and cipher suites
- Camellia crypto and cipher suites
- Bumped minimum autoconf version to 2.65, automake version to 1.12
- Addition of OCSP callbacks
- STM32F2 support with hardware crypto and RNG
- Cavium NITROX support

CTaoCrypt now has support for the Microchip PIC32 and has been tested with the Microchip PIC32 Ethernet Starter Kit, the XC32 compiler and MPLAB X IDE in both MIPS16 and MIPS32 instruction set modes. See the README located under the <cyassl_root>/mplabx directory for more details.

To add Cavium NITROX support do:

./configure --with-cavium=/home/user/cavium/software

pointing to your licensed cavium/software directory.  Since Cavium doesn't build a library we pull in the cavium_common.o file which gives a libtool warning about the portability of this.  Also, if you're using the github source tree you'll need to remove the -Wredundant-decls warning from the generated Makefile because the cavium headers don't conform to this warning.  Currently CyaSSL supports Cavium RNG, AES, 3DES, RC4, HMAC, and RSA directly at the crypto layer.  Support at the SSL level is parital and currently just does AES, 3DES, and RC4.  RSA and HMAC are slower until the Cavium calls can be utilized in non blocking mode.  The example client turns on cavium support as does the crypto test and benchmark.  Please see the HAVE_CAVIUM define.

CyaSSL is able to use the STM32F2 or STM32F4 hardware-based cryptography and random number generator through the STM32F2 Standard Peripheral Library. For necessary defines, see the CYASSL_STM32F2 define in settings.h. Documentation for the STM32F2 Standard Peripheral Library can be found in the following document:
http://www.st.com/internet/com/TECHNICA … 023896.pdf

The CyaSSL manual is available online or in PDF format.  For build instructions and comments about the new features please check the manual.  If you have any question, please contact us at info (at) yassl (dot) com.

Go to forum: Announcements

483 Topic by chrisc

(0 replies, posted in Announcements)

A while back, we started a series on the PKCS standards.  Our first post was about PKCS #1, the RSA Cryptography Standard.  This is the second post in the PKCS standards series, introducing PKCS #3 - the Diffie-Hellman Key Agreement Standard.

PKCS #3 is the Diffie-Hellman Key Agreement Standard and is currently defined by version 1.4 of the specification, located here: http://www.rsa.com/rsalabs/node.asp?id=2126.  It defines a standard enabling two parties to agree on a secret key known only to them (without having prior arrangements).  This is done in such a way that even if an eavesdropper is listening to the communication channel on which the key agreement took place, the eavesdropper will not be able to obtain the secret key.  After the secret key has been agreed upon by the two involved parties, it may be used in a subsequent operation - such as encrypting further communications between the two parties.

The specification itself defines standards for parameter generation, Phase 1 and 2 of the key agreement, and the object identifier to be used.

A. Parameter Generation

As stated in the specification, “a central authority shall generate Diffie-Hellman parameters, and the two phases of key agreement shall be performed with these parameters.”  This central authority will generate several parameters including an odd prime (p) and an integer (g), where the base satisfies 0 < g < p.  It may also optionally select an integer (l) which is the private-value length in bits and which satisfies 2^(l-1) <= p.

B. Phase 1

This section of the specification describes the first (of two) phases of the Diffie-Hellman key agreement and contains three steps, namely:

-private-value generation
-exponentiation
-integer-to-octet-string conversion

As stated by the specification, “the input to the first phase shall be the Diffie-Hellman parameters.  The output from the first phase shall be an octet string PV, the public value; and an integer x, the private value.”  Each party of the key agreement will perform Phase 1 independently of the other party.

C. Phase 2

This section of the specification describes the second phase of the Diffie-Hellman key agreement and contains three steps as well, namely:

-octet-string-to-integer conversion
-exponentiation
-integer-to-octet-string conversion

As stated by the specification, “the input to the second phase shall be the Diffie-Hellman parameters; an octet string PV’, the other entity’s public value; and the private value x.  The output from the second phase shall be an octet string SK, the agreed-upon secret key.”  As the first step, this step is performed by each party independently as well (but after they have exchanged public values from the Phase 1).

D. Object Identifier

The last item defined in PKCS #3 are two object identifiers to be used with Diffie-Hellman key agreement, pkcs-3 and dhKeyAgreement.  The pkcs-3 OID identifies Diffie-Hellman key agreement and is specified as:

pkcs-3 OBJECT IDENTIFIER ::=  { iso(1)  member-body(2)  US(840)  rsadsi(113549)  pkcs(1)  3 }

The second OID, dhKeyAgreement, identifies the PKCS #3 key agreement method.

To learn more about PKCS #3, you can look through the specification, here:

http://www.rsa.com/rsalabs/node.asp?id=2126

To learn more about the CyaSSL embedded SSL library, you can download a free GPLv2-licensed copy from the yaSSL download page, http://yassl.com/yaSSL/download/downloadForm.php, or look through the CyaSSL Manual, http://www.yassl.com/yaSSL/Docs-cyassl-manual-toc.html.  If you have any additional questions, please contact us .

Go to forum: Announcements

484 Topic by chrisc

(0 replies, posted in wolfCrypt)

Welcome to the wolfCrypt Crypto Engine forum.  Please submit any questions, comments, feature requests, or anything else related to wolfCrypt here.  Stay tuned for more information about the wolfCrypt product.

Best Regards,
Chris

Go to forum: wolfCrypt

485 Reply by chrisc

(2 replies, posted in wolfSSL)

Hi Nitin,

Can you try adding -fPIC to C_EXTRA_FLAGS instead of CXXFLAGS when building wolfSSL?

Thanks,
Chris

Go to forum: wolfSSL

486 Reply by chrisc

(3 replies, posted in wolfSSL)

Glad to hear you got things working.  That sounds like an interesting project!  When using the wolfSSL_CTX_xxx functions, did you try switching the order of the functions around like I suggested above?

- Chris

Go to forum: wolfSSL

487 Reply by chrisc

(3 replies, posted in wolfSSL)

Hi zephrax,

Thanks for taking a look at wolfSSL embedded SSL.  If you don't mind me asking, what kind of application are you working on with wolfSSL?

I think the problem may be that you are loading the keys and certificates into wolfSSL after your call to wolfSSL_new().  Can you try switching the order and loading the keys/certs into wolfSSL before you call wolfSSL_new()?  You can find an example wolfSSL client in <wolfssl_root>/examples/client/client.c which may be helpful as a reference.

To test the scenario you were doing, I tried running a test node.js TLS server (code attached, from here: http://docs.nodejitsu.com/articles/cryp … s-module):

node node_server.js

Against our wolfSSL example client (run from the wolfSSL package root directory):

./examples/client/client -h 127.0.0.1 -p 8000

As you can see, my node.js test server was using the following options.  The certs and keys are the wolfSSL test ones located in the <wolfssl_root>/certs directory.

var options = {                                                                 
     key: fs.readFileSync('server-key.pem'),                                     
     cert: fs.readFileSync('server-cert.pem'),                                   
     ca: fs.readFileSync('ca-cert.pem'),                                         
     requestCert: true                                                           
};

This connection was successful, with the wolfSSL embedded SSL client correctly sending its client certificate over to the Node.js server.  Let me know if switching that order helps or not.

Best Regards,
Chris

Go to forum: wolfSSL

488 Topic by chrisc

(0 replies, posted in Announcements)

http://yassl.com/yaSSL/Blog/Entries/2012/12/27_STM32_and_CyaSSL_-_Hardware_Crypto_and_RNG_Support_files/stm32f2_crypto_comparison.png

We would like to announce that the CyaSSL embedded SSL library now has support for hardware-based cryptography and random number generation offered by the STM32F2.  Supported cryptographic algorithms include AES (CBC, CTR), DES (ECB, CBC), 3DES, MD5, and SHA1.  For details regarding the STM32F2 crypto and hash processors, please see the STM32F2xx Standard Peripheral Library document (linked below). 

If you are using the STM32F2 with CyaSSL, you can see substantial speed improvements when using the hardware crypto versus using CyaSSL’s software crypto implementation.  The following benchmarks were gathered from the CTaoCrypt benchmark application (ctaocrypt/benchmark/benchmark.c) running on the STM3221G-EVAL board (STM32F2) using the STM32F2 Standard Peripheral Library and FreeRTOS.

CyaSSL Software Crypto, Normal Big Integer Math Library

AES        1024 kB took 0.822 seconds,   1.22 MB/s
ARC4      1024 KB took 0.219 seconds,   4.57 MB/s
DES        1024 KB took 1.513 seconds,   0.66 MB/s
3DES      1024 KB took 3.986 seconds,   0.25 MB/s

MD5         1024 KB took 0.119 seconds,   8.40 MB/s
SHA         1024 KB took 0.279 seconds,   3.58 MB/s
SHA-256   1024 KB took 0.690 seconds,   1.45 MB/s

RSA 2048 encryption took 111.17 milliseconds, avg over 100 iterations
RSA 2048 decryption took 1204.77 milliseconds, avg over 100 iterations
DH  2048 key generation   467.90 milliseconds, avg over 100 iterations
DH  2048 key agreement   538.94 milliseconds, avg over 100 iterations

STM32F2 Hardware Crypto, Normal Big Integer Math Library

AES        1024 kB took 0.105 seconds,   9.52 MB/s
ARC4      1024 KB took 0.219 seconds,   4.57 MB/s
DES        1024 KB took 0.125 seconds,   8.00 MB/s
3DES      1024 KB took 0.141 seconds,   7.09 MB/s

MD5         1024 KB took 0.045 seconds,  22.22 MB/s
SHA          1024 KB took 0.047 seconds,  21.28 MB/s
SHA-256   1024 KB took 0.690 seconds,   1.45 MB/s

RSA 2048 encryption took 111.09 milliseconds, avg over 100 iterations
RSA 2048 decryption took 1204.88 milliseconds, avg over 100 iterations
DH  2048 key generation  467.56 milliseconds, avg over 100 iterations
DH  2048 key agreement   542.11 milliseconds, avg over 100 iterations

As the above benchmarks (and chart) show, the hardware-based algorithms on the STM32 demonstrate significantly faster speeds than that of their software counterparts.

To enable STM32 hardware crypto and RNG support, define STM32F2_CRYPTO and STM32F2_RNG when building CyaSSL.  For a more complete list of defines which may be required, please see the CYASSL_STM32F2 define in <cyassl_root>/cyassl/ctaocrypt/settings.h.  You can find the most recent version of CyaSSL on GitHub, here: https://github.com/cyassl/cyassl.  STM32F2 hardware crypto and RNG support will also be included in the next official release of the CyaSSL lightweight SSL library.

If you would like to use CyaSSL with STM32 hardware-based cryptography or RNG, or have any questions, please contact us at info@yassl.com for more information.

CyaSSL embedded SSL library: http://yassl.com/yaSSL/Products-cyassl.html
STM32: http://www.st.com/internet/mcu/class/1734.jsp
STM32F2 Standard Peripheral Library documentation: http://www.st.com/internet/com/TECHNICA … 023896.pdf

Go to forum: Announcements

489 Topic by chrisc

(0 replies, posted in Announcements)

Version 2.4.6 of the CyaSSL embedded SSL/TLS library has been released and is now available for download.  This release contains bug fixes and has a few new features including:

- ECC into main (GPLv2) version
- Lean PSK build (reduced code size, RAM usage, and stack usage)
- FreeBSD CRL monitor support
- CyaSSL_peek()
- CyaSSL_send() and CyaSSL_recv() for I/O flag setting
- CodeWarrior Support
- MQX / MFS / RTCS Support
- Freescale Kinetis support including Hardware RNG
- autoconf builds use jobserver
- cyassl-config
- Sniffer memory reductions

Thanks to Brian Aker for the improved autoconf system, make rpm, cyassl-config, warning system, and general good ideas for improving CyaSSL!

The Freescale Kinetis K70 RNGA documentation can be found in Chapter 37 of the K70 Sub-Family Reference Manual:
http://cache.freescale.com/files/microc … 0SF3RM.pdf

To download the open source, GPLv2-licensed version of CyaSSL 2.4.6, please visit our Download Page (http://yassl.com/yaSSL/download/downloadForm.php).  If you have any questions or comments or would like more information on commercial versions of CyaSSL, please contact us at info@yassl.com.

For build instructions, a full feature list, API reference, and more, please see the CyaSSL Manual (http://yassl.com/yaSSL/Docs-cyassl-manual-toc.html).

Go to forum: Announcements

490 Reply by chrisc

(4 replies, posted in wolfSSL)

Yes, typically in a real-world application you would want to verify the server certificates.

Which certificates you load will depend on your environment and client/server setup.  If you are using the wolfSSL example client and server examples, you can use our test certificates.  All wolfSSL embedded SSL test certs are located in the <wolfssl_root>/certs directory.  Some of the main ones include:

ca-cert.pem  (CA certificate)
server-cert.pem  (server cert)
client-cert.pem  (client cert)

Best Regards,
Chris

Go to forum: wolfSSL

491 Reply by chrisc

(4 replies, posted in wolfSSL)

Hi andreas,

!!!!!!!HERE I DO NOT UNDERSTAND WHY WE HAVE TO LOAD "ca_sert" ON THE SERVER SIDE!!!!!!!!!!!!

A list of CA certificates only need to be loaded on the server side if your server is going to be doing client authentication (mutual authentication).  Since it doesn't look like you're doing client authentication, you should be able to skip loading the ca-cert.pem into the server.

The num error that I get on the client side is -155(ASN_SIG_CONFIRM_E)

This error usually means that the client can't verify the server certificate that it receives, and typically means users have loaded the incorrect CA certificate into the client.  Can you double check that your certificate buffers are correct?

For testing your SSL connection in general (apart from certificate verification problems), you can always temporarily disable verification of the server by calling:

wolfSSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, 0);

from your client code (see ./examples/client/client.c for example usage).  This will disable the client from verifying the server certificate it receives.

Best Regards,
Chris

Go to forum: wolfSSL

492 Reply by chrisc

(4 replies, posted in wolfSSL)

Hi ruhmatahir,

I was able to build a simple SHA-512 application with wolfSSL in Eclipse on OS X by doing the following:

1)  Add the WOLFSSL_SHA512 define (set with a value of "1") in [Project Properties] -> [C/C++ General] -> [Paths and Symbols] -> [Symbols]

2)  Under [Project Properties] -> [C/C++ Build] -> [Settings] -> [Linker section] -> [Libraries], then click the "plus" button and add an entry for "wolfssl" to tell Eclipse to link to the wolfSSL library.

Does this work on your end?

Best Regards,
Chris

Go to forum: wolfSSL

493 Reply by chrisc

(1 replies, posted in wolfSSL)

Hi Kevin,

wolfSSL currently only supports lighttpd version 1.4.23.  A wolfSSL port to the most recent version of lighttpd is on our list of things that we want to get done, but due to other commitments, we haven't been able to get to it yet.  The newer versions of lighttpd added a more extensive use of OpenSSL, and as such will require an expansion of the wolfSSL OpenSSL compatibility layer (the missing functions you stated above).

We also offer the wolfSSL Embedded Web Server (http://yassl.com/yaSSL/Products-yassl-e … erver.html), which could work as a replacement for lighttpd depending on your project requirements.  This fully supports TLS 1.2 with the most recent version of wolfSSL.  Like wolfSSL, it is dual licensed under GPLv2 and commercial licensing.  Have you taken a look at it?

Best Regards,
Chris

Go to forum: wolfSSL

494 Reply by chrisc

(2 replies, posted in wolfSSL)

Hi,

Does anyone know if snifftest support ipv6 pcap file?

What kind of project are you working on?  wolfSSL's sniffer currently only supports IPv4.  Would you be interested in having IPv6 support added to wolfSSL's sniffer?

Best Regards,
Chris

Go to forum: wolfSSL

495 Reply by chrisc

(4 replies, posted in wolfSSL)

Hi,

From what I understand, you have built wolfSSL with SHA-512 support (--enable-sha512) and installed the library (sudo make install).  Are you including the sha512.h header?

#include <wolfssl/wolfcrypt/sha512.h>

And are you defining WOLFSSL_SHA512 when you build your application?  For example:

gcc main.c -lwolfssl -DWOLFSSL_SHA512

Best Regards,
Chris

Go to forum: wolfSSL

496 Reply by chrisc

(5 replies, posted in wolfSSL)

Hi andreas,

Have you verified that your LwIP stack works correctly when using standard TCP/IP (not over SSL)?

Regards,
Chris

Go to forum: wolfSSL

497 Reply by chrisc

(3 replies, posted in wolfSSL)

Adding SSL/TLS to your application code and switching from using TCP/IP directly to using SSL/TLS is usually fairly simple.  I'm guessing that you'll already have a thin HTTP client that will communicate back to your server, which you now want to add HTTPS support to?

You can take a look at our example client (<cyassl_root>/examples/client/client.c), which sends a simple "GET" command when used with the "-g" option.  We also have several documentation resources which may be of assistance, including:

1)  SSL Tutorial: http://yassl.com/yaSSL/Docs-cyassl-manu … orial.html
2)  wolfSSL Embedded SSL Manual:  http://yassl.com/yaSSL/Docs-cyassl-manual-toc.html

Best Regards,
Chris

Go to forum: wolfSSL

498 Reply by chrisc

(5 replies, posted in wolfSSL)

Typically, when setting up wolfSSL in your application code, you should:

1)  Set up your socket
2)  Connect the socket
3)  Pass the file descriptor to wolfSSL using the wolfSSL_set_fd() function

Are you following these steps in your application code?

Regards,
Chris

Go to forum: wolfSSL

499 Reply by chrisc

(3 replies, posted in wolfSSL)

Hi anhdv,

Can you explain a little more about what you would like to do?

Thanks,
Chris

Go to forum: wolfSSL

500 Reply by chrisc

(5 replies, posted in wolfSSL)

Hi andreas,

Do you have your LwIP stack configured to use the BSD-style sockets API?  This is done by setting LWIP_SOCKET to "1" in lwip/opt.h or in your build.

Best Regards,
Chris

Go to forum: wolfSSL