1

(4 replies, posted in wolfSSL)

Ok Chris,

One last thing again

As I said I print the data received and data send using the following code in io.c
sent = SEND_FUNCTION(sd, &buf[sz - len], len, 0);
    print("SEND_FUNCTION\r\n--------------------\r\nData send : %s \r\nBytes Send : %d\r\n--------------------\r\n",buf[sz - len],len);
    recvd = RECV_FUNCTION(sd, (char *)buf, sz, 0);
    char old = buf[sz-1];
    buf[sz-1]='\0';
    print("RECV_FUNCTION\r\n--------------------\r\nData received : %s  \r\nBytes Received %d\r\n--------------------\r\n",buf,sz);
    buf[sz-1]=old;
but it prints what I mentioned before.

Where else can I check the buffers send and received?

Moreover what messages I should expect to see printing in each step??

Actually because I have SSL_FILETYPE_PEM I won't understand what it will be printed so I set SSL_FILETYPE_DEFAULT

The problem now is that it wolfSSL_CTX_use_certificate_buffer and wolfSSL_CTX_use_PrivateKey_buffer returns error -4(BAD_FILE) in client and server code).

I double check the certificates and nothing seems to go wrong! I can not understand what else could be go wrong.

Any help?

2

(4 replies, posted in wolfSSL)

The num error that I get on the client side is -155(ASN_SIG_CONFIRM_E)

This error usually means that the client can't verify the server certificate that it receives, and typically means users have loaded the incorrect CA certificate into the client.  Can you double check that your certificate buffers are correct?

As I said I print the data received and data send using the following code in io.c

sent = SEND_FUNCTION(sd, &buf[sz - len], len, 0);
    print("SEND_FUNCTION\r\n--------------------\r\nData send : %s \r\nBytes Send : %d\r\n--------------------\r\n",buf[sz - len],len);

    recvd = RECV_FUNCTION(sd, (char *)buf, sz, 0);
    char old = buf[sz-1];
    buf[sz-1]='\0';
    print("RECV_FUNCTION\r\n--------------------\r\nData received : %s  \r\nBytes Received %d\r\n--------------------\r\n",buf,sz);
    buf[sz-1]=old;

but it prints what I mentioned before.

Where else can I check the buffers send and received?

For testing your SSL connection in general (apart from certificate verification problems), you can always temporarily disable verification of the server by calling:

wolfSSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, 0);

from your client code (see ./examples/client/client.c for example usage).  This will disable the client from verifying the server certificate it receives.

Yes but in the real world I want to verify the server certificate right?

Finally can you tell me wich certificates should I load on client and server so to be sure that I load the correct certificates?

3

(4 replies, posted in wolfSSL)

I have created a client-server model and all steps seems to go fine until when the client calls the function wolfSSL_connect().

First I want to say that on the CLIENT code I do the follow steps without having any error!
############################################################################
        wolfSSL_Init();
    WOLFSSL_CTX* ctx;
   
    /* Create and initialize WOLFSSL_CTX structure */
    if ( (ctx = wolfSSL_CTX_new(wolfTLSv1_client_method())) == NULL){
        print("SSL_CTX_new error.\r\n");
    }

        //ca_cert is an array that has the ca_cert file from the finished_src/echoclient example.  I do not have filesystem
        cert_size= sizeof(ca_cert);

        if (wolfSSL_CTX_load_verify_buffer(ctx,ca_cert,cert_size,1) != SSL_SUCCESS) {
        print("Error loading ./ca-cert.pem, please check the file.\r\n");
    }
       
        WOLFSSL* ssl;
   
    if( (ssl = wolfSSL_new(ctx)) == NULL) {
        print("Unable to create SSL Object\r\n");
    }

         if (wolfSSL_set_fd(ssl, socket_fd) != SSL_SUCCESS)
         print("SSL_set Object failed\r\n");

############################################################################


On the SERVER code I have the follow steps again without having any errors!
############################################################################

       wolfSSL_Init();    // Initialize wolfSSL
       WOLFSSL_CTX* ctx;

       /* Create and initialize WOLFSSL_CTX structure */
    if ( (ctx = wolfSSL_CTX_new(wolfTLSv1_server_method())) == NULL){
        print("SSL_CTX_new error.\r\n");
    }
   
       //Again here ca_cert serv_cert and serv_key are arrays that have the files included in finished_src/echoserver example
       cl_cert_size= sizeof(ca_cert);
       serv_cert_size= sizeof(serv_cert);
       serv_key_size= sizeof(serv_key);

    !!!!!!!HERE I DO NOT UNDERSTAND WHY WE HAVE TO LOAD "ca_sert" ON THE SERVER SIDE!!!!!!!!!!!!
    These will be used to verify the server we connect to */   
    if (wolfSSL_CTX_load_verify_buffer(ctx,ca_cert,cl_cert_size,1) != SSL_SUCCESS) {
        print("Error loading ./ca-cert.pem, please check the file.\r\n");
    }

        /* Load server certificate into WOLFSSL_CTX */
    if (wolfSSL_CTX_use_certificate_buffer(ctx,serv_cert,serv_cert_size,1) != SSL_SUCCESS) {
       print("Error loading ./server-cert.pem, please check the file.\r\n");
       //exit(EXIT_FAILURE);
    }

        if (wolfSSL_CTX_use_PrivateKey_buffer(ctx,serv_key,serv_key_size, SSL_FILETYPE_PEM) != SSL_SUCCESS) {
       printf("Error loading ./server-key.pem, please check the file.\r\n");
       //exit(EXIT_FAILURE);
    }

         WOLFSSL* ssl;

         /* Create WOLFSSL Object */
        if( (ssl = wolfSSL_new(ctx)) == NULL) {
           print("Unable to create SSL object\n");
        }

        if (wolfSSL_set_fd(ssl, fd_current) != SSL_SUCCESS)
                print("SSL_set Object failed\r\n");

############################################################################

Moreover I did not define WOLFSSL_DTLS

On function EmbedReceive I added the following line:
print("RECV_FUNCTION\r\n--------------------\r\nData received : %s  \r\nBytes Received %d\r\n--------------------\r\n",buf,sz);

after

recvd = RECV_FUNCTION(sd, (char *)buf, sz, 0);

so to print the data receive and the bytes received.

On function EmbedSend I added another line for data sent and bytes.

The message that client and server changed during the handshake are as I show below

-------------------CLIENT SIDE-------------------------------###

Trying to establish SSL connection                                                               

1. CONNECT BEGIN SEND CLIENT HELLO                   
SEND_FUNCTION                                                                       
--------------------                                                                         
Data send :áa                                                                           
Bytes Send : 64                                                                           
--------------------
1. CONNECT BEGIN SEND CLIENT HELLO COMPLETED

2. CLIENT HELLO SENT
RECV_FUNCTION
--------------------
Data received :
Bytes Received 5
--------------------
RECV_FUNCTION
--------------------
Data received :
Bytes Received 74
--------------------
Do Hand Shake Msg ret 0
RECV_FUNCTION
--------------------
Data received :
Bytes Received 5
--------------------
RECV_FUNCTION
--------------------
Data received :

Bytes Received 546
--------------------
Do Hand Shake Msg ret -155

FATAL ERROR

SSL_connect failed


----------------------------SERVER SIDE----------------------------------------
Waiting to establish SSL connection

1. ACCEPT BEGIN : CLIENT HELLO
RECV_FUNCTION
--------------------
Data received :
Bytes Received 5
--------------------
RECV_FUNCTION
--------------------
Data received :
Bytes Received 59
--------------------

1. CLIENT HELLO MESSAGE DONE

2. ACCEPT CLIENT HELLO DONE
2. ACCEPT CLIENT HELLO DONE COMPLETED

3. HELLO VERIFY SENT
3. HELLO VERIFY SENT COMPLETED

4. ACCEPT FIRST REPLY DONE
SEND_FUNCTION
--------------------
Data send :áa
Bytes Send : 79
--------------------
4. ACCEPT FIRST REPLY DONE COMPLETED

5. SERVER HELLO SENT
SEND_FUNCTION
--------------------
Data send :áa
Bytes Send : 551
--------------------
5. SERVER HELLO SENT DONE COMPLETED

6. SEND SERVER KEY EXCHANGE
6. SEND SERVER KEY EXCHANGE COMPLETED

7. SEND CERTIFICATE REQUEST
7. SEND CERTIFICATE REQUEST DONE

8. CERTIFICATE REQUEST SENT
SEND_FUNCTION
--------------------
Data send :áa
Bytes Send : 9
--------------------
8. CERTIFICATE REQUEST SENT COMPLETED

9. SERVER HELLO DONE
RECV_FUNCTION
--------------------
Data received :
Bytes Received 5
--------------------
SSL_accept failed

The num error that I get on the client side is -155(ASN_SIG_CONFIRM_E)

and on the server side is -208(SOCKET_ERROR_E).

Any help?

4

(5 replies, posted in wolfSSL)

Hello Chris,

I did all the steps you described, and actually I follow the exacts steps included in wolfSSL embedded SSL Manual for creating a client-server model.

If you like I can send you the exact code that I create.

5

(5 replies, posted in wolfSSL)

Hello Chris,

I already us BSD style sockets. Any other ideas?

Any other idead?

6

(5 replies, posted in wolfSSL)

Hello,

I am trying to create a demo client-server on our lwip module. We have no filesystem.

In client side when I call

wolfSSL_connect(ssl)

for the first time the client need to say hello to server so it calls EmbedSend and in the line

208  sent = SEND_FUNCTION(sd, &buf[sz - len], len, 0);//SEND_FUNCTION is defined as lwip send

sends the buf to the server.


on the server side in wolfSSL_accept(ssl)

On function EmbedReceive when the server goes to the line where it has to read the clients hello

163 recvd = RECV_FUNCTION(sd, (char *)buf, sz, 0);

it print me in the screen the message

"assert!!netconn_accept: invalid recvmbox"

and server stucks there.

Does anyone know what the problem might be?

7

(1 replies, posted in wolfSSL)

Hello again,

I have integrate wolfssl in our API and now I want to run a few test to check if the layer performs correctly! I mean that I need to connect to a server or a client that uses ssl to see if my client or server will connect with ssl change certificates msgs etc. The thing is that I can not find an application for this use! I need something like TCP/IP Builder ! Does anyone know such an application or if there is ay other way to check if my SSL works correctly?

Thank you

Hello Chris,

Thank you very much for your advice, since I am new on SSL I found them really helpfull!

I follow all the of your steps. So far my definitions are as follows
#ifdef ECONAIS
    #include "libwismart.h"
       #define WOLFSSL_LWIP
    #define NO_FILESYSTEM
    #define NO_WRITEV
//    #define NO_DEV_RANDOM
    #define XMALLOC(s, h, type) ((void *)chHeapAlloc(NULL,(s)))
        #define XFREE(p, h, type) do{if(p){chHeapFree(p);}}while(0);
//     #define XREALLOC(p, n, h, t) //Since ChiBios do not has realloc I create my own realloc "XREALLOC" and it is as post it here(if you can take a quick view to tell me if it seems right to you I would be pleased).
#endif

void *XREALLOC (void *ptr, size_t size) {
    void *newptr;

    // Allocate new block, returning NULL if not possible.
    newptr = XMALLOC (size,0,DYNAMIC_TYPE_BIGINT);
    if (newptr == NULL) return NULL;

    // Don't copy/free original block if it was NULL.
    if (ptr != NULL) {

        // Copy the memory, free the old block and return the new block.

        XMEMCPY (newptr, ptr, size);
        XFREE (ptr,0,DYNAMIC_TYPE_BIGINT);
    }

    return newptr;
}

Moreover I added in internal.h our definition for mutexes
#ifdef SINGLE_THREADED
    typedef int wolfSSL_Mutex;
#else /* MULTI_THREADED */
    #ifdef ECONAIS
        typedef Mutex wolfSSL_Mutex;

Finally I write my own GenerateSeed and is as shown below

int GenerateSeed(OS_Seed* os, byte* output, word32 sz)
{
    int i;
    for (i = 0; i < sz; i++ ) {
        output[ i ] = chTimeNow() % 256;
    }


    return 0;
}

chTimeNow returns the msec since the program started.

I also used chTimeNow instead of gettimeofday(we do not support gettimeofday) and I do not know if I will have any problem with it!?

To your question my project as I said is to create SSL over our existing TCP/IP Stack and I am trying to do so by porting wolfSSL. The wireless embedded system that I am working on is EC32S13 ( http://www.econais.com/wp/?page_id=114 )!
On the website you can find a lot of information on who we are and what we do! If have any queries about us please feel free to ask and we will be glad to answer your question.

Yours sincerely,
Andreas

To be more specific our module has 768kbytes FLASH and 96kbyteds SRAM. We need to intagrade wolfSSL in our existing library.
So far in the settings.h I have this

#ifdef MY_EMBEDDED
        #define WOLFSSL_LWIP
    #define NO_FILESYSTEM
    #define NO_WRITEV
#endif

and I need help on what else I should define for a lwip and low memory use of wolfSSL

Thank you.

Hello,

I am assigned to port wolfSSL embedded SSL 2.4.0 on our API! Our wireless embedded system support lwip tcp/ip stack and I need to make the application as lighter as it can get! On the kernel the system runs the libraries of
chiBios( http://chibios.sourceforge.net/docs/ker … index.html ) and we do not support file system! I want to ask for your advice on which definitions I need to make on settings.h so to use wolfSSL for LWIP tcp/ip stack with no file system!

Thank you.