1

(3 replies, posted in wolfSSL)

Thanks!

2

(3 replies, posted in wolfSSL)

Doing some further searching on the forums, am I running into the issue where the FP_MAX_BITS is not set high enough? By default WolfSSL only supports up to 2048-bit RSA keys (even on the SGX build), right? So to support 4096-bit, I would need to edit FP_MAX_BITS in tfm.h.

Hi all,

I'm trying to implement a rs256 signature (for JWTs) using WolfSSL 4.8.0 compiled for an SGX enclave environment. Broadly, the code I implemented will read an array containing a PEM-encoded RSA-4096 private key and convert it to a DER (using `wc_KeyPemToDer`), then decode that into an `RsaKey` object (using `wc_RsaPrivateKeyDecode`), initializes the RNG and a signature buffer, and finally calls `wc_SignatureGenerate`.

The call to `wc_SignatureGenerate` is failing with an error code of -112, which is `MP_EXPTMOD_E`. Recompiling WolfSSL with debug and -O0 and -g, I believe the error originates from `fp_exptmod` where it is checking for "modulus of zero and prevent overflows":

if (fp_iszero(P) || (P->used > (FP_SIZE/2))) {

I believe it is the second test that is failing `(P->used > (FP_SIZE/2))`. In my case, `P->used` is currently set to 64 and `FP_SIZE/2` seems to be equal to 36 (if I am reading the disassembly correctly).

I generated the key I'm testing with using: `openssl req -new -newkey rsa:4096 -nodes -keyout xxx.key -out xxx.csr`, converted to a C include header with xxd. Also happy to post my minimized test code.

Any advice as to debugging this would be greatly appreciated!

Thanks for reading!

Looks like that worked, thanks!

Hi all,

I'm using WolfSSL latest from the master branch (commit a250e1f23a5b1002c57570a29a2db3048eed1316) and the Linux SGX SDK latest from the master branch (just a few commits after 2.13.3) on Ubuntu 20.04. I've built the SGX SDK and installed it at /opt/intel/sgxsdk (default location).

When running build.sh in IDE/LINUX-SGX, I get an error "unknown type name size_t" on line 208 of wolfssl/wolfcrypt/types.h (where wc_ptr_t is defined). The error occurs with this call to gcc:

cc  -DDEBUG_WOLFSSL -Wno-implicit-function-declaration -std=c11 -m64 -O2 -nostdinc -fvisibility=hidden -fpie -fstack-protector -I/wolfssl/ -I/wolfssl/wolfcrypt/ -I/opt/intel/sgxsdk/include -I/opt/intel/sgxsdk/include/tlibc -I/opt/intel/sgxsdk/include/stlport -I/wolfssl/wolfcrypt/test -I/wolfssl/wolfcrypt/benchmark/ -fno-builtin-printf -I. -DWOLFSSL_SGX -DWOLFSSL_HAVE_SP_RSA -DWOLFSSL_HAVE_SP_DH -DWOLFSSL_HAVE_SP_ECC   -c -o /wolfssl/wolfcrypt/src/aes.o /wolfssl/wolfcrypt/src/aes.c
In file included from /wolfssl/wolfssl/wolfcrypt/error-crypt.h:34,
                 from /wolfssl/wolfcrypt/src/aes.c:36:
/wolfssl/wolfssl/wolfcrypt/types.h:208:13: error: unknown type name 'size_t'
  208 |     typedef size_t wc_ptr_t;
      |             ^~~~~~

I currently believe that the WolfSSL system of includes isn't picking up the definition of size_t in the SGX SDK's tlibc header files (which are found in /opt/intel/sgxsdk/include/tlibc).

I haven't yet dug into WolfSSL's includes to figure out how it picks up either types.h or limits.h yet, but any advice would be appreciated.

Thanks for reading!

6

(3 replies, posted in wolfSSL)

dgarske wrote:

The BIO_write expects WOLFSSL_BIO_SSL for an SSL socket write. Have you tried setting up a BIO with that type?

Hi David,

Thanks for replying.  Are there examples somewhere of creating a BIO of the SSL type and using it?  OpenSSL's man pages have an example using BIO_new_ssl_connect but that is not one of WolfSSL's supported APIs.

7

(3 replies, posted in wolfSSL)

Hi all,

I'm using a library designed for OpenSSL.  The library's API takes BIO pointers.  It later calls BIO_read() and BIO_write() on that BIO pointer.

If I use the WolfSSL API normally, the WOLFSSL structure doesn't fill in the biord and biowr fields, so SSL_get_rbio/SSL_get_wbio won't provide me a BIO to pass to the third party library.

I can successfully create a socket BIO using BIO_new_socket with an opened/connected socket file descriptor, pass it to SSL_set_bio, then SSL_connect().  Everything succeeds.

SSL_write() of a char * buffer also succeeds.  But if I replace that with a BIO_write(), no data is sent.
BIO_write doesn't handle BIOs of type WOLFSSL_BIO_SOCKET, so it doesn't actually work on my BIO.

Thanks