1 Reply by anthony

(7 replies, posted in wolfSSL)

For your immediate convenience, here is the specific code I was thinking that would interest you: 

static int test_wc_AesCtrEncryptDecrypt(void)
{
    EXPECT_DECLS;
#if !defined(NO_AES) && defined(WOLFSSL_AES_COUNTER) && defined(WOLFSSL_AES_256)
    Aes aesEnc;
    Aes aesDec;
    byte key32[] = {
        0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
        0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66,
        0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
        0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66
    };
    byte vector[] = { /* Now is the time for all w/o trailing 0 */
        0x4e,0x6f,0x77,0x20,0x69,0x73,0x20,0x74,
        0x68,0x65,0x20,0x74,0x69,0x6d,0x65,0x20,
        0x66,0x6f,0x72,0x20,0x61,0x6c,0x6c,0x20
    };
    byte iv[] = "1234567890abcdef";
    byte enc[AES_BLOCK_SIZE * 2];
    byte dec[AES_BLOCK_SIZE * 2];

    /* Init stack variables. */
    XMEMSET(&aesEnc, 0, sizeof(Aes));
    XMEMSET(&aesDec, 0, sizeof(Aes));
    XMEMSET(enc, 0, AES_BLOCK_SIZE * 2);
    XMEMSET(dec, 0, AES_BLOCK_SIZE * 2);

    ExpectIntEQ(wc_AesInit(&aesEnc, NULL, INVALID_DEVID), 0);
    ExpectIntEQ(wc_AesInit(&aesDec, NULL, INVALID_DEVID), 0);

    ExpectIntEQ(wc_AesSetKey(&aesEnc, key32, AES_BLOCK_SIZE * 2, iv,
        AES_ENCRYPTION), 0);
    ExpectIntEQ(wc_AesCtrEncrypt(&aesEnc, enc, vector,
        sizeof(vector)/sizeof(byte)), 0);
    /* Decrypt with wc_AesCtrEncrypt() */
    ExpectIntEQ(wc_AesSetKey(&aesDec, key32, AES_BLOCK_SIZE * 2, iv,
        AES_ENCRYPTION), 0);
    ExpectIntEQ(wc_AesCtrEncrypt(&aesDec, dec, enc, sizeof(enc)/sizeof(byte)),
        0);
    ExpectIntEQ(XMEMCMP(vector, dec, sizeof(vector)), 0);

    /* Test bad args. */
    ExpectIntEQ(wc_AesCtrEncrypt(NULL, dec, enc, sizeof(enc)/sizeof(byte)),
        WC_NO_ERR_TRACE(BAD_FUNC_ARG));
    ExpectIntEQ(wc_AesCtrEncrypt(&aesDec, NULL, enc, sizeof(enc)/sizeof(byte)),
        WC_NO_ERR_TRACE(BAD_FUNC_ARG));
    ExpectIntEQ(wc_AesCtrEncrypt(&aesDec, dec, NULL, sizeof(enc)/sizeof(byte)),
        WC_NO_ERR_TRACE(BAD_FUNC_ARG));

    wc_AesFree(&aesEnc);
    wc_AesFree(&aesDec);
#endif
    return EXPECT_RESULT();
}

Go to forum: wolfSSL

2 Reply by anthony

(7 replies, posted in wolfSSL)

Hi ,

Excellent!  We here at wolfSSL would love to encourage your efforts.  Please, lets continue this conversation over on our technical support channel.  Please send a message to support@wolfssl.com.  This will get you started on the right note!

Warm regards, Anthony

Go to forum: wolfSSL

3 Reply by anthony

(7 replies, posted in wolfSSL)

You can find it online here: https://raw.githubusercontent.com/wolfS … ests/api.c

Note that it is a rather large file.  Can you let us know a bit more about yourself and your project?  If you would rather share information about yourself via a confidential channel, please send a message to support@wolfssl.com.

Warm regards, Anthony

Go to forum: wolfSSL

4 Reply by anthony

(3 replies, posted in wolfCrypt)

Hi,

Yes, please find it here: https://github.com/wolfSSL/wolfssl/blob … sl.h#L3355

For your convenience it is defined as:

WOLFSSL_API int wolfSSL_X509_CRL_print(WOLFSSL_BIO* bio,
                                       WOLFSSL_X509_CRL* crl);

Since this is out of professional interest please direct further questions to support@wolfssl.com.  That is a confidential support system where you will be able to better share information about yourself, your project and your use case so that we can more easily assist you.  If possible, please use a work email address.

Warm regards, Anthony

Go to forum: wolfCrypt

5 Reply by anthony

(3 replies, posted in wolfCrypt)

Hi HAPPY,

Thanks for asking your question. We have the following API that might interest you: wolfSSL_X509_CRL_print().  Please let me know if my suggestion is helpful.

Can you please let us know about yourself and your project?  Where are you geographically located?  What your goals? Are you doing  this project out of personal, professional or academic interest?

Warm regards, Anthony

Go to forum: wolfCrypt

6 Reply by anthony

(7 replies, posted in wolfSSL)

Hi,

Another great place to look is tests/api.c.  You can look at test_wc_AesCtrEncryptDecrypt() in there to see how to use the API.  When you compile, what errors are you seeing?

We'd love to know more about you and your project.  Where are you located?  What are you goals? Please do let us know!

Warm regards, Anthony

Go to forum: wolfSSL

7 Reply by anthony

(1 replies, posted in wolfSSL)

Hello courtneyendic735,

My name is Anthony and I am a member of the wolfSSL team.

We've actually noticed the same problem earlier and are looking into a fix.  Currently, we have 2 solutions.

- Please have a look at https://github.com/wolfSSL/wolfCLU/pull/159 .  This is not a long term fix as it has side effects when doing OCSP and CRL verifications. I am currently looking into improving this PR.  Stay tuned and monitor that PR please.
- Please have a look at https://github.com/wolfSSL/wolfssl-exam … ertmanager .  This example will verify the chain as you described.

Here at wolfSSL we love it when people use our product.  Can you let us know a bit about yourself and your project?  For example:

- Where are you geographically located?
- What are your goals?
- Is this out of professional, academic or personal interest?
- Is there an institution associated with this effort?
- Any other information you care to share.

If you would like to share this information confidentially, you can send it to me via email at anthony@wolfssl.com.

Thanks and let me know if my suggestions help.

Warm regards, Anthony

Go to forum: wolfSSL

8 Reply by anthony

(3 replies, posted in wolfSSL)

Sunnysunday,

Can you please let me know a bit about what you are trying to do?  What are your goals?  Is this project out of academic, professional or personal interest?

Warm regards, Anthony

Go to forum: wolfSSL

9 Reply by anthony

(3 replies, posted in wolfSSL)

Hello Sunnysunday,
My name is Anthony and I am a member of the wolfSSL team.  Please try defining the following macros in your user_settings.h file:


WOLFSSL_TRACK_MEMORY
WOLFSSL_TRACK_MEMORY_VERBOSE

Let me know if that gives you the desired output.

Warm regards, Anthony

Go to forum: wolfSSL

10 Reply by anthony

(4 replies, posted in wolfSSL)

Hi Simone,

Can you try using the supported SSP version 1.7.0?  That is the version specified in the README.md file.
It seems this inquiry is out of professional interest. 
In order to protect your confidentiality, if you have further questions, please send them to support@wolfssl.com. 

Warm regards, Anthony

Go to forum: wolfSSL

11 Reply by anthony

(4 replies, posted in wolfSSL)

Hi Simone,

have you reached out to the Renesas support team yet?
Can you let me know what compilation errors you're seeing?

Warm regards, Anthony

Go to forum: wolfSSL

12 Reply by anthony

(3 replies, posted in wolfCrypt)

Can you try version 5.7.4 or the latest of the master branch on gitubhb?  I noticed there have been changes as line 30931 on master has the following:

        "LDR    r6, [%[a], #188]\n\t"

Warm regards, Anthony

Go to forum: wolfCrypt

13 Reply by anthony

(5 replies, posted in General Inquiries)

Hello Ida Sreenivas,

My name is Anthony and I am a member of the wolfSSL team.  Please note that you have a support plan with wolfSSL.  As such it would be more appropriate if you opened a support ticket.  You can do  this by sending a message to support@wolfssl.com.  I look forward to helping you there.

Warm regards, Anthony

Go to forum: General Inquiries

14 Reply by anthony

(3 replies, posted in wolfSSL)

Hi Isabelle,

https://datatracker.ietf.org/doc/html/r … tion-4.4.2 has the following pragraph:

Note: Prior to TLS 1.3, "certificate_list" ordering required each
   certificate to certify the one immediately preceding it; however,
   some implementations allowed some flexibility.  Servers sometimes
   send both a current and deprecated intermediate for transitional
   purposes, and others are simply configured incorrectly, but these
   cases can nonetheless be validated properly.  For maximum
   compatibility, all implementations SHOULD be prepared to handle
   potentially extraneous certificates and arbitrary orderings from any
   TLS version, with the exception of the end-entity certificate which
   MUST be first.

Without WOLFSSL_ALT_CERT_CHAINS we expect the proper ordering and no other extra certificates.  With WOLFSSL_ALT_CERT_CHAINS we follow the guidance above.

Warm regards, Anthony

Go to forum: wolfSSL

15 Reply by anthony

(3 replies, posted in wolfSSL)

Hi Isabella,

My name is Anthony and I am a member of the wolfSSL team.  I will be helping you with this issue.  This happens quite often when connecting to large web infrastructures.  Please use --enable-altcertchains on your configure command line. If you don't use the confugre script, please define WOLFSSL_ALT_CERT_CHAINS in your user_settings.h .

Here at wolfSSL we love learning about how people are using our libraries.  Can you please tell me a bit about yourself, your use case and any other information that would give us some context so that we can better help you?

Warm regards, Anthony

Go to forum: wolfSSL

16 Reply by anthony

(2 replies, posted in wolfSSL)

Hello Shinzo,

My name is Anthony and I am a member of the wolfSSL team.

Yes, you are correct.  You'll need to use  MakeCert/SignCert in order to use ECC.

Can you please let me know a bit about yourself and your project? What are you trying to achieve? Where are you geographically located? Is this question out of personal, academic or professional interest?  Are there any organizations associated with this work.  Any information is useful in helping us prioritize your request.

Warm regards, Anthony

Go to forum: wolfSSL

17 Reply by anthony

(14 replies, posted in wolfSSL)

You need to use --enable-fips=ready

Go to forum: wolfSSL

18 Reply by anthony

(14 replies, posted in wolfSSL)

Hi volga629,

In the past, we have seen this before, but it was because someone used --enable-fips instead of --enable-fips=ready.  Can you please try again, but this time double checking that you added the =ready ?

Here at wolfSSL we love to know how people in the community are using our code.  Can you tell us a bit about yourself and your project?  Where are you located? What are you goals?  Is this project personal, academic or professional in nature?  Also let us know anything interesting.

Warm regards, Anthony

Go to forum: wolfSSL

19 Reply by anthony

(3 replies, posted in wolfSSL)

No problem and my pleasure!!
Warm regards, Anthony

Go to forum: wolfSSL

20 Reply by anthony

(5 replies, posted in General Inquiries)

Hi toni992,

My name is Anthony and I am a member of the wolfSSL team. The short answer is that it happens during the TLS  handshake.

The longer more nuanced answer follows.  From RFC 8466 (TLS 1.3)  https://datatracker.ietf.org/doc/html/rfc8446#section-2 you can see the following: 

       Client                                           Server

Key  ^ ClientHello
Exch | + key_share*
     | + signature_algorithms*
     | + psk_key_exchange_modes*
     v + pre_shared_key*       -------->
                                                  ServerHello  ^ Key
                                                 + key_share*  | Exch
                                            + pre_shared_key*  v
                                        {EncryptedExtensions}  ^  Server
                                        {CertificateRequest*}  v  Params
                                               {Certificate*}  ^
                                         {CertificateVerify*}  | Auth
                                                   {Finished}  v
                               <--------  [Application Data*]
     ^ {Certificate*}
Auth | {CertificateVerify*}
     v {Finished}              -------->
       [Application Data]      <------->  [Application Data]

The certificate and certificate verify messages are where it happens.

The Certificate message is where the certificate chain is sent to the peer.  The CertificateVerify message is where the signature of the TLS handshake transcript is sent.  The peer verifies the chain and the signature of the TLS handshake transcript.

Please let me know if you would like further clarifications.

This is a great question and here at wolfSSL we love to know about the community member and what they are doing. 

Can you please let us know about your interest in wolfSSL and protocols?  Can you let us know about yourself and your projects?

For example, where are you located?  Can you let us know your goals.

Warm regards, Anthony

Go to forum: General Inquiries

21 Reply by anthony

(2 replies, posted in wolfSSL)

Hi,
This is Anthony again.

In src/tls13.c we have TlsCheckCookie() which is called by RestartHandshakeHashWithCookie() and in turn called by DoTls13ClientHello() when the server state is in SERVER_HELLO_RETRY_REQUEST_COMPLETE.  So, in a sense, yes, it is done automatically as part of the TLS 1.3 handshake protocol.

Warm regards, Anthony

Go to forum: wolfSSL

22 Reply by anthony

(3 replies, posted in wolfSSL)

HI jlewis,

My name is Anthony and I am a member of the wolfSSL team.

I noticed that the issuer and subject are the same making this a Root CA certificate.  I think you might need a basic constraints extension that states that this is a CA certificate. 

Warm regards, Anthony

Go to forum: wolfSSL

23 Reply by anthony

(3 replies, posted in wolfSSL)

Hi,

We have the following APIs for setting the Authority Key ID and Subject Key ID: 

WOLFSSL_API int wc_SetAuthKeyIdFromPublicKey_ex(Cert *cert, int keyType,
                                                void* key);
WOLFSSL_API int wc_SetAuthKeyIdFromPublicKey(Cert *cert, RsaKey *rsakey,
                                             ecc_key *eckey);
WOLFSSL_API int wc_SetAuthKeyIdFromCert(Cert *cert, const byte *der, int derSz);
WOLFSSL_API int wc_SetAuthKeyId(Cert *cert, const char* file);
WOLFSSL_API int wc_SetSubjectKeyIdFromPublicKey_ex(Cert *cert, int keyType,
                                                   void* key);
WOLFSSL_API int wc_SetSubjectKeyIdFromPublicKey(Cert *cert, RsaKey *rsakey,
                                                ecc_key *eckey);
WOLFSSL_API int wc_SetSubjectKeyId(Cert *cert, const char* file);

You can find examples of how to use these APIs in tests/api.c.


Can you please let us know about how you are using wolfSSL and what you are using it for?

Warm regards, Anthony

Go to forum: wolfSSL

24 Reply by anthony

(3 replies, posted in wolfSSL)

Hi ,
My name is Anthony and I am a member of the wolfSSL team.  I'll be helping you on this topic.  Please stay tuned as I will need to ask my wider engineering team.

Warm regards, Anthony

Go to forum: wolfSSL

25 Reply by anthony

(1 replies, posted in wolfSSL)

Hi chyuk98,

Please check your email.  Scott McClung (scott@wolfssl.com) has replied to your license inquiry.  If you did not see it, please send another message to that email address directly.

Warm regards, Anthony

Go to forum: wolfSSL