Topic: Wolfssl esp32 aes in ctr mode not compatible with x86 openssl EVP aes

Hello,

I'm having an issue encrypting things on my esp32 using `wc_AesCtrEncrypt` with a 128 bit key and decrypting them on an x86 computer using EVP aes in ctr mode. I first thought it was an endian-ness problem so I tried the following on both systems to see if it would show a pattern of how I need the swap my byes: encrypt a plaintext of all 0's using a 128 bit key of all 0s and an iv of all 0s. Here is the code I used on the esp32:

int j;
Aes reusable_aes_key;
unsigned char key[16] = { 0 };
unsigned char aes_iv[16] = { 0 };
unsigned char temp_payload_plain[64] = { 0 };
unsigned char temp_payload_cipher[64];

wc_AesInit( &reusable_aes_key, NULL, INVALID_DEVID );

wc_AesSetKeyDirect( &reusable_aes_key, key, 16, aes_iv, AES_ENCRYPTION );
wc_AesCtrEncrypt( &reusable_aes_key, temp_payload_cipher, temp_payload_plain, 64 );
for ( j = 0; j < 64; j++ ) {
  ESP_LOGE( TAG, "%.2x", temp_payload_cipher[j] );
}

From the wolfssl encryption I got:

c0
7e
66
00
c0
7e
66
00
c0
7e
66
00
c0
7e
66
00
c0
7e
66
00
c0
7e
66
00
c0
7e
66
00
c0
7e
66
00
c0
7e
66
00
c0
7e
66
00
c0
7e
66
00
c0
7e
66
00
c0
7e
66
00
c0
7e
66
00
c0
7e
66
00
c0
7e
66
00

From the openssl side using `EVP_EncryptUpdate`:

66
e9
4b
d4
ef
8a
2c
3b
88
4c
fa
59
ca
34
2b
2e
58
e2
fc
ce
fa
7e
30
61
36
7f
1d
57
a4
e7
45
5a
03
88
da
ce
60
b6
a3
92
f3
28
c2
b9
71
b2
fe
78
f7
95
aa
ab
49
4b
59
23
f7
fd
89
ff
94
8b
c1
e0

From this it looks like theres something more going on with the EVP aes ctr since its bytes are non-repeating. I looked into wolfssl and saw that there is compatibility for openssl and there are EVP libraries but the esp32 doesn't seem to support openssl extras since there is no openssl directory in the port and when I define the constant in user settings it gives me all kinds of errors. So basically I'm wondering what I would need to do to make the `wc_AesCtrEncrypt` function compatible with the EVP functions or if there is a way to include the opnessl extras into the esp32 build, assuming my assumptions aren't completely off and I haven't made a mistake setting up the aes object. Additionally I can't really change the openssl side because it isn't my system I'm just integrating with it, it's pre-existing and I have to meet its requirements.

Anyways, all help is appreciated, let me know if you need more info.

Share

Re: Wolfssl esp32 aes in ctr mode not compatible with x86 openssl EVP aes

After adding `#define NO_WOLFSSL_ESP32WROOM32_CRYPT_AES` to my user settings, the cipher buffers now match on the woflssl and openssl side. This leads me to believe there is a bug in the hw accelerated part of the port, is this a know bug? If not I can investigate it some more when I finish the task at hand, hopefully this isn't a bug on the esp32 side or a problem with the esp hardware, it would suck to not be able to use hardware acceleration.

Share

Re: Wolfssl esp32 aes in ctr mode not compatible with x86 openssl EVP aes

Hi jpbland,

Thank you so much for reaching out about this issue and for the report. I am checking with our team that worked on the Espressif hardware port, it's possible there is simply a bug in the handoff to the hardware given this is AES-CTR mode (a less common mode). Have you tested with AES-GCM or AES-CBC modes and hardware crypto support enabled? Do those modes work and only AES-CTR mode is not working?

Warm Regards,

K

Re: Wolfssl esp32 aes in ctr mode not compatible with x86 openssl EVP aes

Hi jpbland,

I checked with our team that worked on the ESP32 port and they clearly indicated AES in COUNTER mode was never ported and was not intended to be used on that hardware yet. It is something we may add support for in the future!

We are surprised to hear you were able to build with the setting WOLFSSL_AES_COUNTER given the port didn't include it in the effort. We are curious if you had to make any changes to get it to build or did it just compile cleanly?

Warm Regards,

K

5 (edited by jpbland 2020-03-26 08:51:54)

Re: Wolfssl esp32 aes in ctr mode not compatible with x86 openssl EVP aes

Hey Kaleb,

Here is my user settings, aside from this I've also had to  comment out the fast math in settings.h since it broke the build and I also had to comment out the inclusion of an openssl compatibility file related to key generation in order to properly generate keys and certificates, not related to aes but still something I changed. I am still able to generate certificates without that file but commenting things out in the source is less than ideal since its hard to keep track of my changes without making my own branch or something.

/* user_settings.h
 *
 * Copyright (C) 2006-2020 wolfSSL Inc.
 *
 * This file is part of wolfSSL.
 *
 * wolfSSL is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 2 of the License, or
 * (at your option) any later version.
 *
 * wolfSSL is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
 */

#define BENCH_EMBEDDED
#define USE_CERT_BUFFERS_2048

/* TLS 1.3                                 */
#define WOLFSSL_TLS13
#define HAVE_TLS_EXTENSIONS
#define WC_RSA_PSS
#define HAVE_HKDF
#define HAVE_AEAD
#define HAVE_SUPPORTED_CURVES

/* when you want to use SINGLE THREAD */
/* #define SINGLE_THREADED */
#define NO_FILESYSTEM

#define HAVE_AESGCM
/* when you want to use SHA384 */
/* #define WOLFSSL_SHA384 */
#define WOLFSSL_SHA512
#define HAVE_SHA512
#define HAVE_ECC
#define HAVE_CURVE25519
#define CURVE25519_SMALL
#define HAVE_ED25519
#define ED25519_SMALL
#define HAVE_DH
#define HAVE_FFDHE_2048
#define HAVE_RSA
#define HAVE_SHA
#define HAVE_AES_CBC
#define WOLFSSL_AES_DIRECT
#define WOLFSSL_AES_COUNTER
#define HAVE_DES3
#define WOLFSSL_ALLOW_SSLV3

#define KEEP_PEER_CERT
#define WOLFSSL_KEY_GEN
#define WOLFSSL_CERT_GEN
#define SHOW_SECRETS

#define WOLFSSL_ESPWROOM32

/* esp32-wroom-32se specific definition */
#if defined(WOLFSSL_ESPWROOM32SE)
    #define WOLFSSL_ATECC508A
    #define HAVE_PK_CALLBACKS
    /* when you want to use a custom slot allocation for ATECC608A */
    /* unless your configuration is unusual, you can use default   */
    /* implementation.                                             */
    /* #define CUSTOM_SLOT_ALLOCATION                              */
#endif

/* rsa primitive specific definition */
#if defined(WOLFSSL_ESPWROOM32) || defined(WOLFSSL_ESPWROOM32SE)
    /* Define USE_FAST_MATH and SMALL_STACK                        */
    #define ESP32_USE_RSA_PRIMITIVE
    /* threshold for performance adjustment for hw primitive use   */
    /* X bits of G^X mod P greater than                            */ 
    #define EPS_RSA_EXPT_XBTIS           36
    /* X and Y of X * Y mod P greater than                         */
    #define ESP_RSA_MULM_BITS            2000
#endif

/* debug options */
#define DEBUG_WOLFSSL
/* #define WOLFSSL_ESP32WROOM32_CRYPT_DEBUG */
/* #define WOLFSSL_ATECC508A_DEBUG          */

/* date/time                               */
/* if it cannot adjust time in the device, */
/* enable macro below                      */
/* #define NO_ASN_TIME */
/* #define XTIME time */

/* when you want not to use HW acceleration */
/* #define NO_ESP32WROOM32_CRYPT */
// #define NO_WOLFSSL_ESP32WROOM32_CRYPT_HASH
#define NO_WOLFSSL_ESP32WROOM32_CRYPT_AES
/* #define NO_WOLFSSL_ESP32WROOM32_CRYPT_RSA_PRI */

This is in settings.h

/* Uncomment next line if building for using ESP-IDF */
#define WOLFSSL_ESPIDF

/* Uncomment next line if using Espressif ESP32-WROOM-32 */
#define WOLFSSL_ESPWROOM32
...
#if defined(WOLFSSL_ESPIDF)
    #define FREERTOS
    #define WOLFSSL_LWIP
    #define NO_WRITEV
    #define SIZEOF_LONG_LONG 8
    #define NO_WOLFSSL_DIR
    #define WOLFSSL_NO_CURRDIR

    #define TFM_TIMING_RESISTANT
    #define ECC_TIMING_RESISTANT
    #define WC_RSA_BLINDING

#if defined(WOLFSSL_ESPWROOM32) || defined(WOLFSSL_ESPWROOM32SE)
   #ifndef NO_ESP32WROOM32_CRYPT
        #define WOLFSSL_ESP32WROOM32_CRYPT
        #if defined(ESP32_USE_RSA_PRIMITIVE) && \
            !defined(NO_WOLFSSL_ESP32WROOM32_CRYPT_RSA_PRI)
            #define WOLFSSL_ESP32WROOM32_CRYPT_RSA_PRI
            // #define USE_FAST_MATH
            #define WOLFSSL_SMALL_STACK
        #endif
   #endif
#endif
#endif /* WOLFSSL_ESPIDF */

In ssl.c

#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) || \
        defined(HAVE_WEBSERVER) || defined(WOLFSSL_KEY_GEN)
    /* #include <wolfssl/openssl/evp.h> */
    /* openssl headers end, wolfssl internal headers next */
#endif

Share

Re: Wolfssl esp32 aes in ctr mode not compatible with x86 openssl EVP aes

also I haven't tried to use other aes methods directly but I am using multiple cipher suites that include aes so I would assume they are working properly or at least I haven't run into problems with them not working.

Share