26 Reply by anthony

(1 replies, posted in wolfSSL)

Hi db,

My name is Anthony and I am a member of the wolfSSL team. From what I understand, sigpipe means  the peer closed the socket when there was data still available to read.  This is generally resolved by, on both sides, doing a shutdown (for example, calling wolfSSL_shutdown() ) , checking for WOLFSSL_SHUTDOWN_NOT_DONE, and then doing wolfSSL_shutdown() again.  You can search for WOLFSSL_SHUTDOWN_NOT_DONE in wolfssl/examples/server/server.c and wolfssl/examples/client/client.c to see what I mean.

Warm regards, Anthony

Go to forum: wolfSSL

27 Reply by anthony

(1 replies, posted in wolfSSL)

This will be  handled via technical support channel.

Go to forum: wolfSSL

28 Reply by anthony

(2 replies, posted in wolfSSL)

Hi bganjl,

You are correct, we do not have support for that. Can you please email support@wolfssl.com so we can get started on a feature request?  Please reference this forum post when you send the message.

Warm regards, Anthony

Go to forum: wolfSSL

29 Reply by anthony

(2 replies, posted in wolfSSL)

Hi bganjl,

My name is Anthony and I am a member of the wolfSSL team. Its an interesting question and I will look into it for you. 

In the meantime, can you let us know a bit about yourself and your project?  We love to know about who is using our software. For example:

Where are you located?  Country and nearest urban area should suffice.

Is this project out of personal, academic or commercial interest?

Is this project associated with any institutions or organizations?

Warm regards, Anthony

Go to forum: wolfSSL

30 Reply by anthony

(4 replies, posted in wolfSSL)

Hi Scott,

Thanks for all the information you provided. Since you have commercial support, please open a support ticket by sending a message to support@wolfssl.com using an email account associated with your organization.  In that message, please reference this forum posting.  We look forward to helping you there.

Warm regards, Anthony

Go to forum: wolfSSL

31 Reply by anthony

(4 replies, posted in wolfSSL)

Hi Scotty2541,

Thanks for reaching out to us here on the forums!  My name is Anthony and I am a member of the wolfSSL team.  Have you had a look at https://github.com/wolfSSL/wolfssl/tree/master/tirtos ?  It references some documentation and examples.

AutoSAR refers to https://www.autosar.org/.  When you build using our configure scripts, autosar is disabled by default. What could be happening is that CCS is erroneously bringing in all the source and header files into your project.  You'll have to remove some files that shouldn't be there.

Can you let me know a bit about yourself? Here at wolfSSL we are very interested to know about who is using our software.  We'd love to know about:

Where are you located? (Country and nearest urban centre)
What are your goals?
Is your project out of commercial, academic or professional interest?
Is your project associated with any institutions?

Please let me know if you have further questions for me.

Warm regards, Anthony

Go to forum: wolfSSL

32 Reply by anthony

(1 replies, posted in wolfSSL)

Hi MMI_101,

Thanks for using wolfSSL and reaching out to us here on the forums.

In order to be able to use wc_InitCert, you must have the macro WOLFSSL_CERT_GEN defined. I don't know what macros you have defined in your user_settings.h and/or compiler flags, but my best guess is that this is not defined.  If it is defined, please let me know what other macros are defined.

Here at wolfSSL we love knowing how our code is being used.  Can you tell us a bit about yourself and your project?

- Where are you located?  Country and nearest large urban area should suffice.
- It this project out of personal interest, an academic project or commercial in nature?
- Is there an institution or company associated with your work?

Any other details about yourself and your project would be greatly appreciated.


Warm regards, Anthony

Go to forum: wolfSSL

33 Reply by anthony

(8 replies, posted in wolfCrypt)

Hi Adrien,

Indeed, that release does not have it yet. 

You could manually patch your copy with the following diff:

https://github.com/wolfSSL/wolfssl/comm … f2d79.diff

However, I'm not sure if/when STM32CubeIDE will overwrite your changes to wolfSSL source code.  I seem to recall that when you save certain configuration settings, the wolfSSL code gets regenerated.

Another option is to simply wait for the next release.  We are currently in the process of preparing for the next release and should be out at the beginning of July.

Perhaps another option is to just prototype on Linux with the github master branch first while you wait for the next release.

I'm very interested to know which path you choose. 

Warm regards, Anthony

Go to forum: wolfCrypt

34 Reply by anthony

(8 replies, posted in wolfCrypt)

Hi,

I'm sorry for the delayed response. I had lost track of this as I thought I had answered your questions.

dP and dQ will have to be calculated by you.  That said, they are only used in the Chinese Remainder Theorem (CRT).  If you define `RSA_LOW_MEM`, that is using a non-CRT implementation then you won't need to worry about dP and dQ.  That said, execution time will increase. 

Let me know if this helps.

Warm regards, Anthony

Go to forum: wolfCrypt

35 Reply by anthony

(8 replies, posted in wolfCrypt)

I'm sorry, I think I was mistaken!! Please see wc_RsaPrivateKeyDecodeRaw()

It has the form:

WOLFSSL_API int wc_RsaPrivateKeyDecodeRaw(const byte* n, word32 nSz,
        const byte* e, word32 eSz, const byte* d, word32 dSz,
        const byte* u, word32 uSz, const byte* p, word32 pSz,
        const byte* q, word32 qSz, const byte* dP, word32 dPSz,
        const byte* dQ, word32 dQSz, RsaKey* key);

It can be found in wolfssl/wolfcrypt/rsa.h

Warm regards, Anthony

Go to forum: wolfCrypt

36 Reply by anthony

(8 replies, posted in wolfCrypt)

Hi Adrian,

My name is Anthony and I am a member of the wolfSSL team.

We do have the function wc_RsaExportKey() which looks like this:

WOLFSSL_API int wc_RsaExportKey(RsaKey* key,
                                byte* e, word32* eSz,
                                byte* n, word32* nSz,
                                byte* d, word32* dSz,
                                byte* p, word32* pSz,
                                byte* q, word32* qSz);

But I don't think we have the corresponding API for importing it in this format.  That said, would you like to register this as a feature request?

If so, please send an email to support@wolfssl.com.  The process will only take a couple of minutes of your time.  Please also reference this forum post in that email message.

Warm regards, Anthony

Go to forum: wolfCrypt

37 Reply by anthony

(6 replies, posted in wolfSSL)

Thanks for letting me know. If you would like to share more details about yourself and your project in a more private setting, please email me at anthony@wolfssl.com.

Warm regards,  Anthony

Go to forum: wolfSSL

38 Reply by anthony

(6 replies, posted in wolfSSL)

Good to know!  Glad you got it resolved.  Can you let us know a bit about yourself?
Where are you located?
What are your goals?
Is the nature of this project academic, commercial, or personal?
We love knowing how our code is being used and any information you are willing to share helps us to better understand our user base.

Warm regards, Anthony

Go to forum: wolfSSL

39 Reply by anthony

(6 replies, posted in wolfSSL)

There is another possibility that the root cause of your failure is here: 

 wolfSSL Leaving EccVerify, return -330

Can you please also share your certificates and what ECC curves you share in those certificates?

Go to forum: wolfSSL

40 Reply by anthony

(6 replies, posted in wolfSSL)

Hi chenkanghao001,

Here is a relevant piece of code that shows up in your debug message: 

        if (CipherRequires(first, second, REQUIRES_RSA)) {
            WOLFSSL_MSG("Requires RSA");
            if (ssl->options.haveRSA == 0) {
                WOLFSSL_MSG("Don't have RSA");
                return 0;
            }
        }

Can I ask you how you configure and build wolfssl? Can you let us know what configuration flags you use? 

Also, can you give us some hints as to how you initialize your server and client?

I ask these things because perhaps you are disabling RSA somehow.

Warm regards, Anthony

Go to forum: wolfSSL

41 Reply by anthony

(10 replies, posted in wolfSSL)

Hi Will,

You'll need to increase the amount of memory given to the static memory system.  I can't add attachments in this forum so I will email a document to you.
Warm regards, Anthony

Go to forum: wolfSSL

42 Reply by anthony

(10 replies, posted in wolfSSL)

Hi Will,

A simpler solution might be to use ECC certs.  Have you investigated that possibility?

Warm regards, Anthony

Go to forum: wolfSSL

43 Reply by anthony

(10 replies, posted in wolfSSL)

Note that the following passage appears here https://www.wolfssl.com/documentation/m … ter02.html :

WOLFSSL_DYN_CERT

Allow allocation of subjectCN and publicKey fields when parsing certificates even with WOLFSSL_NO_MALLOC set. If using the WOLFSSL_NO_MALLOC option with RSA certificates the public key needs to be retained for CA's for validate certificates on the peer's certificate. This appears as a ConfirmSignature error -173 BAD_FUNC_ARG, since the ca->publicKey is NULL.

Go to forum: wolfSSL

44 Reply by anthony

(10 replies, posted in wolfSSL)

During the parsing of the certificate, the public key is not being stored: 

#if (!defined(WOLFSSL_NO_MALLOC) && !defined(NO_WOLFSSL_CM_VERIFY)) || \
    defined(WOLFSSL_DYN_CERT)
    /* cert->publicKey not stored as copy if WOLFSSL_NO_MALLOC defined */
    if ((cert->keyOID == RSAk
    #ifdef WC_RSA_PSS
         || cert->keyOID == RSAPSSk
    #endif
         ) && cert->publicKey != NULL && cert->pubKeySize > 0) {
        ptr = (char*)XMALLOC(cert->pubKeySize, cert->heap,
                              DYNAMIC_TYPE_PUBLIC_KEY);
        if (ptr == NULL)
            return MEMORY_E;
        XMEMCPY(ptr, cert->publicKey, cert->pubKeySize);
        cert->publicKey = (byte *)ptr;
        cert->pubKeyStored = 1;
    }

#endif

So 

cert->pubKeyStored

is not getting set to 1.  I was able to get past this by adding 

-DWOLFSSL_DYN_CERT

to 

CFLAGS

. That said, I later got an out of memory error: 

wolfSSL Entering SendCertificateVerify
sent: certificate verify
connect state: FIRST_REPLY_THIRD
growing output buffer
wolfSSL Entering DtlsMsgPoolSave
wolfSSL Entering DtlsMsgNew
wolfSSL Leaving DtlsMsgPoolSave(), return 0
ERROR ran out of static memory
wolfSSL error occurred, error = -125
wolfSSL Entering wolfSSL_get_error
wolfSSL Leaving wolfSSL_get_error, return -125
err = -125, out of memory error

I'll need to ask my colleagues how to increase the memory pool size.

Please stay tuned.

Warm regards, Anthony

Go to forum: wolfSSL

45 Reply by anthony

(10 replies, posted in wolfSSL)

Hello, Will (whjochim),

My name is Anthony and I am a member of the wolfSSL team. I have been able to reproduce what you are seeing.  Thank you so much for all the details you provided!! 

I had to build a separate instance of wolfSSL for the server side like this: 

./configure --enable-dtls --enable-dtls13
make all 
./examples/server/server -u -v 3 -c certs/server-cert.pem -k certs/server-key.pem

That's when I saw 

err = -173, Bad function argument

Let me run this with a debugger and get some better information. Unfortunately, I can't use your stack trace as the line numbers don't match what I have. I'm not sure what version of wolfSSL you are using.  Please stay tuned.

In the meantime, can you please let me know some information about yourself and your project?  We love know about the people that use our code and what they are doing with it.  Some example questions for you:

- where are you geographically located?
- what are your goals?
- is your project personal, academic or professional?
- is there an institution associated with this work?

If you do not want to disclose this information on a public forum, feel free to send it to me at anthony@wolfssl.com

Warm regards, Anthony

Go to forum: wolfSSL

46 Reply by anthony

(5 replies, posted in wolfSSL)

Hello likewise,
Can you please send a message to support@wolfssl.com noting your interest in this feature? 
Thanks and warm regards, Anthony

Go to forum: wolfSSL

47 Reply by anthony

(6 replies, posted in wolfSSL)

Hi jacob.andersen,

Yes, the correct way would be 2 separate context objects. Please try that and let us know how it goes.

Warm regards, Anthony

Go to forum: wolfSSL

48 Reply by anthony

(8 replies, posted in wolfSSL)

Hi Tony,
Excellent.  Instead of putting up a pull request, can you put up a bug report.  We have a preference for bug reports as accepting pull requests would require you submit a contributor agreement.
Warm regards, Anthony

Go to forum: wolfSSL

49 Reply by anthony

(8 replies, posted in wolfSSL)

Correction: TLS 1.2 connection.  Not TLS 1.3 connection.

Go to forum: wolfSSL

50 Reply by anthony

(8 replies, posted in wolfSSL)

Hi Tony,

I've modified your user_settings.h.  See the end of this message.  Then on my linux machine built with the following command: 

./configure --enable-usersettings

I then downloaded your root certificate and executed the example client like this: 

./examples/client/client -A root.pem  -h a2jtk2rms8uea8-ats.iot.us-east-1.amazonaws.com -p 8883

And I got a successful TLS 1.3 connection. 

This tells me there might be some incompatibility with the way freeRTOS is being used or the way wolfMQTT is calling into wolfSSL. The most likely problem is a memory issue.  How much memory are you giving to this process?   Perhaps try increasing it?

Warm regards, Anthony

=============================================
#ifndef USER_SETTINGS_H
#define USER_SETTINGS_H

#define WOLFSSL_IGNORE_FILE_WARN

/*-- Cipher related definitions  -----------------------------------------------
*
*
*----------------------------------------------------------------------------*/
#define WOLFSSL_ALT_CERT_CHAINS



#define WOLFSSL_TLS13
#define HAVE_TLS_EXTENSIONS

#define HAVE_SUPPORTED_CURVES
#define HAVE_FFDHE_2048

#ifndef WOLFSSL_OPTIONS_IGNORE_SYS
    #undef  _POSIX_THREADS
    #define _POSIX_THREADS
#endif

#define HAVE_THREAD_LS
#define TFM_TIMING_RESISTANT
#define ECC_TIMING_RESISTANT
#define WC_RSA_BLINDING

#define HAVE_AESGCM
#define HAVE_AESCCM
#define HAVE_AES_ECB
#define WOLFSSL_AES_COUNTER
#define WOLFSSL_AES_DIRECT

#define WOLFSSL_SHA512
#define WOLFSSL_SHA384
#define HAVE_HKDF

#define HAVE_ECC
#define TFM_ECC256
#define ECC_SHAMIR
#define WC_RSA_PSS
#define WOLFSSL_BASE64_ENCODE

#define WOLFSSL_KEY_GEN


#define HAVE_ECC_CDH
#define WC_RSA_NO_PADDING
#define WOLFSSL_VALIDATE_FFC_IMPORT
#define WOLFSSL_VALIDATE_ECC_IMPORT
#define HAVE_FFDHE_Q
#define WOLFSSL_NO_SHAKE256

#define WOLFSSL_CMAC
#define WOLFSSL_SHA224
#define WOLFSSL_SHA3
#define WOLFSSL_SHAKE256
#define HAVE_HASHDRBG

#define HAVE_SUPPORTED_CURVES
#define HAVE_EXTENDED_MASTER
#define HAVE_ENCRYPT_THEN_MAC
#define USE_FAST_MATH
#define WOLFSSL_X86_64_BUILD
#define WC_NO_ASYNC_THREADING
#define HAVE_DH_DEFAULT_PARAMS
#define HAVE___UINT128_T    1

#define NO_DSA
#define NO_HC128
#define NO_RABBIT
#define NO_RC4
#define NO_PSK
#define NO_MD4
#define NO_PWDBASED

/*-- Debugging options  ------------------------------------------------------
*
* "DEBUG_WOLFSSL" definition enables log to output into stdout.
* Note: wolfSSL_Debugging_ON() must be called just after wolfSSL_Init().
*----------------------------------------------------------------------------*/

#define DEBUG_WOLFSSL



#endif /* USER_SETTINGS_H */
========================================

Go to forum: wolfSSL