76 Reply by john

(1 replies, posted in wolfSSL)

wolfSSL has two PRNG functions that can be selected at build time: ARC4 using the entropy source (GenerateSeed() function) to provide a key or a SHA-256 Hash_DRBG (described in NIST SP 900-80A) seeded with the entropy source. If you are using "configure" to set up your build, the Hash_DRBG is enabled by default. If you are building through Visual Studio, the ARC4 PRNG is used.

The entropy seed for either PRNG is obtained with the GenerateSeed() function. There are several GenerateSeed() example functions in file random.c, most of which can be used depending on your environment. On Linux or Mac OS X, "/dev/urandom" is read for the seeding. On Windows, the equivalent source is read. Some of the embedded processors have their own built in hardware entropy sources and we call their API. If we don't have an example that suits your needs you have to provide your own GenerateSeed(), and we can help with that.

For QNX you could set the flag "HAVE_HASHDRBG" and use the Linux-style GenerateSeed() reading from /dev/urandom.

I hope this helps.

Go to forum: wolfSSL

77 Reply by john

(3 replies, posted in wolfSSL)

--enable-openssl also defines KEEP_PEER_CERT.

I'm glad to see that it is working for you now.

Go to forum: wolfSSL

78 Reply by john

(3 replies, posted in wolfSSL)

First, the jabber.se certificate expired on May 1st.

Which version of wolfSSL embedded SSL are you using? I'm connecting with the latest commit from GitHub and the altName is not getting ignored. (By the way, add -g to your client command. It'll do an HTTP "GET /" message to the server.)

How are you configuring the library? There was an issue where the altNames were getting lost when you had KEEP_PEER_CERT enabled. (I believe the fix was released in version 3.4.8. It was commit 50e829e.)

Go to forum: wolfSSL

79 Reply by john

(1 replies, posted in wolfSSL)

Are you using configure to set up your build first? Did you try:

./configure C_EXTRA_FLAGS=-DCYASSL_AES_DIRECT
make
./ctaocrypt/test/testctaocrypt

One other question, why are you using such an old copy of CyaSSL embedded SSL? v2.8.0 is from late 2013. I'd recommend upgrading to the current version of wolfSSL. (We changed the name of the library recently. Same code, different name.)

Go to forum: wolfSSL

80 Reply by john

(2 replies, posted in wolfSSL)

Sorry about the delay in responding. That's a good suggestion. Please see commit fe303c97 in our GitHub repository.

Go to forum: wolfSSL

81 Reply by john

(36 replies, posted in wolfSSL)

I'm glad to see you found a work-around for the problem. I have a colleague looking into this right now as well. We will investigate a more permanent solution for this.

Thanks!

Go to forum: wolfSSL

82 Reply by john

(36 replies, posted in wolfSSL)

On your platform, we're depending on the compiler to make the 64-bit data operations work using its 32-bit registers/math. I'm wondering if it is messing up. I made a little test application that did a couple rotations on my Mac.

#include "wolfssl/wolfcrypt/types.h"
#include "wolfcrypt/src/misc.c"
#include <stdio.h>

int main(void)
{
    word64 test;

    test = 1;
    printf("test = %lu\n", test);
    test = rotlFixed64(test, 33);
    printf("test = %lX\n", test);

    test = 1;
    printf("test = %lu\n", test);
    test = rotrFixed64(test, 5);
    printf("test = %lX\n", test);
}

The output was:

test = 1
test = 200000000
test = 1
test = 800000000000000

Can you try it out, or something like it, on your device?

Go to forum: wolfSSL

83 Reply by john

(6 replies, posted in wolfSSL)

ECDSA uses a random number as part of the signature process. If you call ecc_sign_hash() multiple times with the same data, you will get a different signature every time. But, all the signatures will verify correctly with ecc_verify_hash().  Do they provide the secret number in a PEM or DER wrapper?

Go to forum: wolfSSL

84 Reply by john

(6 replies, posted in wolfSSL)

Are you sure you really want to do that? That's what got a large video game console manufacturer in trouble.

Go to forum: wolfSSL

85 Reply by john

(36 replies, posted in wolfSSL)

Are you setting USE_SLOW_SHA2 or CTAOCRYPT_SLOW_WORD64?

Go to forum: wolfSSL

86 Reply by john

(36 replies, posted in wolfSSL)

Tangent: It looks like you included "misc.c" in your project. With the way your build is configured, that file is included in the other files that needs it. There is an option to compile it on its own, but you aren't using that, and it is a little faster to not do that. And all the warnings in internal.c shouldn't be there; we added the parens around the assignments that is supposed to hush those warnings.

Go to forum: wolfSSL

87 Reply by john

(36 replies, posted in wolfSSL)

re 19:
I think you are showing the LS 32-bits of the buffer words. Right before the Transform384 in Sha384Final using the data "abc", I get 

(lldb) p/x sha384->buffer
(word64 [16]) $18 = {
  [0] = 0x6162638000000000
  [1] = 0x0000000000000000
  [2] = 0x0000000000000000
  [3] = 0x0000000000000000
  [4] = 0x0000000000000000
  [5] = 0x0000000000000000
  [6] = 0x0000000000000000
  [7] = 0x0000000000000000
  [8] = 0x0000000000000000
  [9] = 0x0000000000000000
  [10] = 0x0000000000000000
  [11] = 0x0000000000000000
  [12] = 0x0000000000000000
  [13] = 0x0000000000000000
  [14] = 0x0000000000000000
  [15] = 0x0000000000000018

This looks like "Chunk" 0 in the example you gave me from that external site. (I'm running on OS X.)

In 20, when you say iteration 3, are you talking about the loop in Transform384? (So, technically iteration 48, since that loop is doing 16 iterations at a time?)

Since your compiler is trying to do 64-bit stuff with a 32-bit compiler, maybe it is tripping up on not rotating something enough, or truncating a 64-value at 32-bits in the wrong spot.

I don't think it is accessing outside the tables with negative array indices because they are masked to 3 or 4 bits. (unless there are shenanigans regarding the types of the bare numbers.) And there shouldn't be any assumptions made about locals being initialized, beyond they aren't.

Go to forum: wolfSSL

88 Reply by john

(36 replies, posted in wolfSSL)

Which version of wolfSSL are you using right now and did you download it from our website?

Could you try 

#define CTAOCRYPT_SLOW_WORD64

Go to forum: wolfSSL

89 Reply by john

(36 replies, posted in wolfSSL)

Is your compiler throwing any warnings during the build of wolfSSL?

Go to forum: wolfSSL

90 Reply by john

(36 replies, posted in wolfSSL)

OK. I see what's going on here. When running the wolfSSL client connecting to that server, you only need to add the root CA, AddTrustExternalRootCA. The server is sending its certificate, and the signing chain, including a copy of the AddTrust. When processing the Certificate message, wolfSSL ends up ignoring the AddTrust certificate and then checking the next certificate, COMODO RSA Certification Authority. That one is successfully verified and added to the CA pool. The next certificate, COMODO RSA Domain Validation Secure Server CA, is checked and is rejected because the signature fails.

This happens because by default wolfSSL is using fast math which uses preallocated buffers for the big integers, and the size defaults to 4096 to allow for the 2048x2048 bit multiply needed for RSA. The certificate COMODO RSA Certification Authority has a 4096-bit key, so the following RSA signature check fails.

I configured my local wolfSSL build to set FP_MAX_BITS=8192 which will allow for the 4096x4096 bit multiply. (Actually, first I used non-fastmath, then fastmath with with the bigger max bits.) The connection succeeded.

This doesn't answer why the SHA-384 and SHA-512 hash tests fail for you since those are known-answer tests that don't involve RSA or the big integer math. (I'll follow up on that later.)

For places to print out data, you could add prints of the digest at the end of Sha384Update() and run it both on your device and on the desktop and see when they start to differ.

Go to forum: wolfSSL

91 Reply by john

(36 replies, posted in wolfSSL)

On the signer error, I found this link. They are trying to get the right signer certs together in a chain file using the Comodor cert chain.

The order for the cat command should be:

$ cat ComodorRSADomainValidSecureServerCA ComodorRSACertAuth AddTrustCert > cert.pem

The peer certificate is signed by ComodorRSADomainValidSecureServerCA, which is signed by ComodorRSACertAuth, which is signed by AddTrustCert, which signs itself.


On the hash problem, if you take out the CYASSL_SHA384 does the SHA-512 test case succeed?

Is your device big-endian or little-endian?

Go to forum: wolfSSL

92 Reply by john

(36 replies, posted in wolfSSL)

For the "client" command you can only include one certificate with the "-A" option. The command line option processor saves the file name and loads the file later, so only the last file name is saved. If you

cat AddTrustCert ComodorRSACertAuth ComodorRSADomainValidSecureServerCA > combo.pem

and then -A combo.pem, all three will be loaded. (This assumes the certificates are in PEM format. We can't load DER certificates concatenated together.)

Back to the SHA-384 issue. Do you have 64-bit data types available on your platform? Could you do a

printf("sizeof(long long) = %u\n", sizeof(long long));

The SHA-384/512 uses type word64 (unsigned long long) in the internal state. And you deleted the "NO_SHA512" from the MBED settings? You are using the MBED block in settings.h with "#define CYASSL_MBED" uncommented? Setting SIZEOF_LONG_LONG to 8 should be enabling the typedef for word64 in types.h.

Go to forum: wolfSSL

93 Reply by john

(36 replies, posted in wolfSSL)

Also, have you run the ctaocrypt test on your target board? It does some known answer tests for all the ciphers and hashes you have enabled.

Go to forum: wolfSSL

94 Reply by john

(36 replies, posted in wolfSSL)

For SHA-384, you have to add the following to your settings.

#define CYASSL_SHA512
#define CYASSL_SHA384

Can you connect to the server using our example command line client using only your root CA? (For example, connecting to google.com with the GeoTrust Global CA certificate.)

When the client receives the Certificate message, it should be checking all the certificates in order from last to first. The last one is signed by the root CA, and the first is the peer's certificate. Each one is loaded into the certificate manager and used to verify the next certificate.

Go to forum: wolfSSL

95 Reply by john

(3 replies, posted in wolfSSL)

Which platform are you running on? Are you using the configure script to set up the build, or is it through an IDE of some kind?

Go to forum: wolfSSL

96 Reply by john

(21 replies, posted in wolfSSL)

You're welcome.

To answer your questions:

Vanger wrote:

Do you know what the times between CyaSSL handshake messages are?
At this point, it seems like the issue is caused by a timeout either server-side or radio-side.
It seems like the library shouldn't be causing timeout issues with it being less than a second or two to run various code segments between outputting data to the server?

It all depends on how fast your hardware is and what cipher suites you are using. The public key cryptography is slow. On a desktop PC you'd probably never see any kind of delay, but on an embedded device the RSA operation could take hundreds of milliseconds. The point in the handshake where your device was timing out was after the public key operations. I don't think Google is timing out; I added in a 3 second delay right before my client sends its Change Cipher Spec message and Google still finished the handshake.

There isn't a timeout on the handshake. If the socket closes then we'll get an error from the recv() and tear down the session.

Vanger wrote:

Is it possible that the google.com server is requesting a certificate to distinguish between clients that connect to it?

Public web servers are commonly configured to use anonymous clients without their own certificates. The server would send a Certificate Request handshake message to the client in the non-anonymous case, and from your logs there wasn't any evidence of Google doing that.

Vanger wrote:

Is there a way to tell the library to use a timeout on connections for trying to read the next record from the server? If so, where/how is it set?

This would be accomplished by setting a timeout on the socket, or using non-blocking sockets and calling select() on the socket. Or using custom I/O routines with CyaSSL (wolfSSL).

Go to forum: wolfSSL

97 Reply by john

(21 replies, posted in wolfSSL)

Vanger wrote:

I'm going to try to pull more debug values from the client at various points of interest in the code, but I'm not sure what to be looking for/at.

Is there any code difference between connecting to say google.com versus wikipedia.org?
The library works consistently on certain websites and doesn't work consistently on the google.com and yahoo.com domains.
I would expect the code operates the same way for the SSL code regardless of which website it connects to, which would beg the question of what is different about the named websites that would cause a handshake failure, whereas the other websites are connecting just fine.

There shouldn't be any differences between connecting to any site. Except for the CA certificate you are loading to verify the server's certificate. Google, Wikipedia, and Yahoo! are all using different certificate issuers. Google is signed by GeoTrust, Wikipedia is signed by GlobalSign, and Yahoo! is signed by VeriSign.

Since I'm on a Mac, I get those certificates out of my KeyChain application. I save them and then covert them to PEM format, and concatenate them into a single file. With the wolfSSL client, I use the -A option to load that file.

Vanger wrote:

The record layer headers are all fine up until the client sends a ClientKeyExchange message, after which the next record layer header received from the server is:  0D,0A,4E,4F,20

That's not a record layer header from the server. That's the string "<CR><LF>NO<SPACE>". Is that part of the over-the-air protocol you are tunneling the SSL through? Is the rest of the line "CARRIER" or something? Or maybe it is your option D.

As for option B, the server should be sending a clear "Change Cipher Spec" message, followed by an encrypted Finished handshake message. For all TLS records, the record header is in the clear.

Go to forum: wolfSSL

98 Reply by john

(8 replies, posted in wolfSSL)

The wolfssl.sln VS solution wraps the wolfSSL (now wolfSSL) library, and the projects for our example server, client, echoserver, and echoclient, and some of our test tools. The solution builds the wolfSSL library and includes it into the other sub-projects automatically.

Attached is a screen capture of the solution browser on VS Express 2012. I opened the wolfssl.sln solution and it upgraded it from 2008 to 2012, but the layout is still the same. When I'm doing some testing, I'll build the server or client, and VS builds the library dependency first, and then the server, and handles the linking for me. If I were to open the disclosure on the Source Files under the "wolfssl" solution, the library sources would show up.

Go to forum: wolfSSL

99 Reply by john

(21 replies, posted in wolfSSL)

When you got the 10/78, were you printing out the version numbers from inside the DoFinished() function or were you looking at them in the data stream?

Have you tried the connection using the example client from the command line?

Go to forum: wolfSSL

100 Reply by john

(21 replies, posted in wolfSSL)

Which "method" function are you using to make your CyaSSL_CTX object?

I can connect to Google with our example client using SSLv3 (0), TLSv1.0 (1), TLSv1.1 (2), and TLSv1.2 (3):

% ./examples/client/client -g -h www.google.com -p 443 -A equifax-for-google.pem -v 0
% ./examples/client/client -g -h www.google.com -p 443 -A equifax-for-google.pem -v 1
% ./examples/client/client -g -h www.google.com -p 443 -A equifax-for-google.pem -v 2
% ./examples/client/client -g -h www.google.com -p 443 -A equifax-for-google.pem -v 3

And I get the 404 response for each of those, decoded.

Could you capture the network traffic for the connection attempt using Wireshark?

Go to forum: wolfSSL