1 Topic by adolphson (edited by adolphson 2026-02-18 18:01:55)

  • From: Australia
  • Registered: 2026-02-18
  • Posts: 2

Topic: AF_ALG breaks certificate verification on ARM32 (-155 error)

Hi,

I'm trying to use wolfSSL with AF_ALG on an ARM32 platform (Microchip SAMA5D2, Cortex-A5) to get hardware-accelerated AES-GCM for TLS. The goal is to offload bulk encryption to hardware while keeping certificate verification in software.

When I enable `--enable-afalg`, all certificate verification fails with error -155 (`ASN_SIG_CONFIRM_E`)

What we have:
- wolfSSL 5.8.4 (also tested 5.7.2)
- libcurl 8.18.0
- Linux with musl libc (Buildroot)
- hardware: Atmel AES via AF_ALG (`atmel-gcm-aes` driver)

Platform details:
- Microchip SAMA5D2 (ARM Cortex-A5)
- Linux 6.x, musl libc, Buildroot

Configure (minimal reproduction):

./configure --enable-curl --enable-afalg

What happens

$ curl https://www.google.com
SSL_connect failed with error -155: ASN sig error, confirm failure

This affects every HTTPS site

Hardware AES is working if we skip the certificate verification 

$ grep -i aes /proc/interrupts
157:          3  atmel-aic5   9 Level     atmel-aes

$ curl -k https://www.google.com   # skip verification
(succeeds, returns HTTP 200)

$ grep -i aes /proc/interrupts
157:         57  atmel-aic5   9 Level     atmel-aes

The AES interrupt count jumped from 3 to 57 during that connection. So AF_ALG AES-GCM is working for data encryption. It's only the certificate verification that breaks.

What I've tried (all fail with -155):
- Minimal config: just `--enable-curl --enable-afalg`
- wolfSSL 5.7.2 and 5.8.4
- SP math (default on ARM) vs TFM (`--enable-fastmath`)
- With and without `WOLFSSL_AFALG_HASH`
- libcurl 8.15.0 and 8.18.0

What works:
- `--enable-all` without `--enable-afalg` - certificates verify fine
- `--enable-curl` without `--enable-afalg` - certificates verify fine
- Basically anything WITHOUT `--enable-afalg`

Questions:
1. Has anyone successfully used `--enable-afalg` on ARM32 with certificate verification?
2. Is there a known issue with AF_ALG + curl on ARM?
3. Any suggestions for debugging this further?

I am keen to get hardware AES working since as we are pushing the boundaries of the CPU for our application.

Thanks for any help.

adolphson's Website

Share

  • Jacob
  • Moderator
  • Offline
  • Registered: 2014-08-21
  • Posts: 86

Re: AF_ALG breaks certificate verification on ARM32 (-155 error)

Hi adolphson,

Could you run ./wolfcrypt/test/testwolfcrypt to confirm if SHA256 hash operations are successful?

How did you test without WOLFSSL_AFALG_HASH, if building with ./configure was configure.ac altered and then ./configure regenerated?

wolfSSL,
Jacob

Share

  • From: Australia
  • Registered: 2026-02-18
  • Posts: 2

Re: AF_ALG breaks certificate verification on ARM32 (-155 error)

Hi Jacob,

Results of testwolfcrypt below:

$ testwolfcrypt 
Math:     Multi-Precision: Wolf(SP) word-size=32 bits=3072 sp_int.c
------------------------------------------------------------------------------
 wolfSSL version 5.8.4
------------------------------------------------------------------------------
macro    test passed!
error    test passed!
MEMORY   test passed!
base64   test passed!
base16   test passed!
asn      test passed!
MD4      test passed!
SHA      test passed!
SHA-256  test passed!
SHA-384  test passed!
SHA-512  test passed!
SHA-512/224  test passed!
SHA-512/256  test passed!
RANDOM   test passed!
Hash     test passed!
HMAC-SHA test passed!
HMAC-SHA256 test passed!
HMAC-SHA384 test passed!
HMAC-SHA512 test passed!
HMAC-KDF    test passed!
SSH-KDF     test passed!
PRF         test passed!
TLSv1.2 KDF test passed!
TLSv1.3 KDF test passed!
GMAC     test failed!
 error L=17481
 [fiducial line numbers: 10443 30112 49891 62840]
Exiting main with return code: -1

In regards to WOLFSSL_AFALG_HASH, I modified the buildroot makefile to try and undefine it via CFLAGS

WOLFSSL_CONF_ENV += CFLAGS="$(TARGET_CFLAGS) -UWOLFSSL_AFALG_HASH"

Thanks for you help.

adolphson's Website

Share