526 Reply by Kaleb J. Himes

(1 replies, posted in wolfSSL)

Hi,

Thanks for contacting wolfSSL. Have you had a chance to review our porting guide here: https://wolfssl.com/wolfSSL/Docs-wolfss … guide.html

The porting guide will cover each problem expected when porting to a new environment. The guide will not touch on the differences for an 8-bit CPU and the default types wolfSSL expects (32 or 64 bit). Please take note of the define and example in our settings used when build for MICRIUM:

 #define WOLFSSL_TYPES

    typedef CPU_INT08U byte;
    typedef CPU_INT16U word16;
    typedef CPU_INT32U word32;

You will need to define what a 8-bit unsigned integer, 16-bit unsigned integer, and 32-bit unsigned integer are for your 8-bit CPU along with the define for NO_64BIT.


Warm Regards,

Kaleb

Go to forum: wolfSSL

527 Reply by Kaleb J. Himes

(1 replies, posted in wolfSSL)

NOTE: Being handled in Zendesk, if a solution can be reached it will be posted here for public review.

Go to forum: wolfSSL

528 Reply by Kaleb J. Himes

(9 replies, posted in wolfCrypt)

Thanks telina for this note!

I have added that to the list of things to update in the next round of documentation!

ACTION ITEM: add --enable-aesctr to configure options section


Warm Regards,

Kaleb

Go to forum: wolfCrypt

529 Reply by Kaleb J. Himes

(5 replies, posted in wolfSSL)

Hi Carsonbaker,

Currently wolfSSL has not worked on SRTP solution but it is something we would love to discuss with you! Your project sounds interesting and we would love to hear more details, what are your end goals, what problem will SRTP w/ DTLS help you solve?


Warm Regards,

Kaleb

Go to forum: wolfSSL

530 Reply by Kaleb J. Himes

(9 replies, posted in wolfCrypt)

Hi telina,

Just to double check is it possible you are working with a version older than wolfssl-3.11.0? We added the define for --enable-aesctr back in December of 2016 and it has been in our development master on github for some time, but it only made it into the newest release 3.11.0

If that is the case I would recommend you download our latest release from the website here: https://wolfssl.com/wolfSSL/download/downloadForm.php as that version also contained several bug fixes and addressed some other issues including adding a configure option for aesctr!

 --enable-aesctr


Warm Regards,

Kaleb

Go to forum: wolfCrypt

531 Reply by Kaleb J. Himes

(2 replies, posted in wolfSSL)

Hi oigor,

It does seem like the logic should be only "greater than" following my initial review. I want to spend a little more time checking one thing, but wanted to get you an update. I will let you know when I have completed a more in-depth review of the other code segments surrounding this condition.

If possible could you provide us the test certificates you are using so we might reproduce the issue on our end and create a test case for this scenario in all our future release cycles?


Warm Regards,

Kaleb

Go to forum: wolfSSL

532 Reply by Kaleb J. Himes

(7 replies, posted in wolfSSL)

Hi yrekik,


I talked to our DTLS expert and there is a known interop bug with tinyDTLS. wolfSSL can interop with GnuTLS and vise-versa.

Neither, GnuTLS nor wolfSSL can interop with tinyDTLS. This is a tinyDTLS issue.

On the Poly1305/ChaCha implementation, one caution would be to make sure you are using the "Official" ChaCha Poly RFC when implementing as there is a "Google Standard" out there as well that was incorrect to begin with. Google has since updated to the RFC standard and wolfSSL also has implemented the RFC standard.


Best Regards,

Kaleb

Go to forum: wolfSSL

533 Topic by Kaleb J. Himes

(3 replies, posted in General Inquiries)

Hi!  Are you interested in using wolfSSL with the OpenVPN?  If so, let us know at info@wolfssl.com or by posting a reply to this forum topic!

The wolfSSL lightweight SSL/TLS library is nice for reduced overhead and maximum throughput in addition to supporting cutting edge curves and cipher suites!  wolfSSL currently supports up to TLS 1.3 and DTLS 1.2 and offers leading support in the industry!

OpenVPN, as described by their website, is “an open source virtual private network solution that has established itself as the defacto standard".

We look forward to hearing your thoughts about using wolfSSL with OpenVPN!

Go to forum: General Inquiries

534 Reply by Kaleb J. Himes

(9 replies, posted in wolfCrypt)

Hi telina,

Ahh yes, I regret we did not make specific note of that, it is customary not only to include options.h but to include it before any other wolfSSL header file so that the options are defined when the next header is included. I tend to start all external app development by doing the following:

#include <stdio.h>
#include <wolfssl/options.h>

... other c include headers here ....
... other wolfssl include headers here ...

I apologize we failed to specifically mention that it must be include before all other wolfSSL headers. I wil keep that in mind for any other customers that contact us with similar issues.

You said "I managed to fix it... Nevertheless ...", it is fine if a file includes integer.h as that file is IFDEF protected with this logic:

                                                                              
 35 #include <wolfssl/wolfcrypt/types.h>       /* will set MP_xxBIT if not default */
 36 #ifdef USE_FAST_MATH                                                             
 37     #include <wolfssl/wolfcrypt/tfm.h>                                           
 38 #else

      ... integer.h code ...

374 #endif /* USE_FAST_MATH */

The only issue is if you are getting errors from integer.h as you were previously that indicated that the define USE_FAST_MATH was not properly being detected. Is there still an outstanding issue or is everything now working properly?

Warmest Regards,

Kaleb

Go to forum: wolfCrypt

535 Reply by Kaleb J. Himes

(7 replies, posted in wolfSSL)

Hi yrekik,

Are you positive tinyDTLS support POLY1305 and CHACHA? That is a pretty cutting edge cipher suite that will make it into TLS 1.3 but very few vendors support it today. wolfSSL and BoringSSL support that cipher suite but very few other SSL/TLS/DTLS providers have taken that step so far, I am skeptical that tinyDTLS supports it.

That being said I can confirm the issues you previously noted when using PSK-AES128-CCM-8 and I am looking into the issue. I should have more info for you by Friday morning Mountain Standard Time (U.S).


Warmest Regards,

Kaleb

Go to forum: wolfSSL

536 Reply by Kaleb J. Himes

(7 replies, posted in wolfSSL)

Hi yrekik,

One other thing to check is the identity hint being sent to the server. Are you sending the correct "client identity hint" so the server knows the correct key to select for that client?


Warm Regards,

Kaleb

Go to forum: wolfSSL

537 Reply by Kaleb J. Himes

(9 replies, posted in wolfCrypt)

Hi telina,

As Chris initially pointed out it sounds like you have a configuration mismatch. In the configuration you sent you have the configure option 

--enable-fastmath

Then in the Netbeans project it has "Unresolved includes" in "wolfssl/wolfcrypt/dh.h" leading to "integer.h". HOWEVER "integer.h" is the normal math libraries and SHOULD NOT be being built when using FASTMATH, instead that should be "tfm.h" (short for tom's fast math).

It sounds like the Netbeans project still does not have the same settings as the library was built with. Could you double check that the Netbeans project is including "wolfssl/options.h" header file?


Warmest Regards,

Kaleb

Go to forum: wolfCrypt

538 Reply by Kaleb J. Himes

(8 replies, posted in wolfMQTT)

Hi embedded,

One other note from our MQTT developer:

Also if you have WOLFMQTT_NONBLOCK defined then you'll need to handle the MQTT_CODE_CONTINUE response type.
- D.G. wolfSSL Embedded Engineer


Best Regards,

Kaleb

Go to forum: wolfMQTT

539 Reply by Kaleb J. Himes

(8 replies, posted in wolfMQTT)

Hi embedded,

In non-blocking mode a timeout should never be reached, ever. The timeout is for one specific "blocking mode" case:

BLOCKING MODE:

1. server and client are connected.
2. Server advances TLS state machine to a "read" state and enters the receive data method.
3. Client ungracefully disconnects (network goes down temporarily or something else unexpected happens)
4. Server gets stuck waiting to receive data FOREVER.
5. Insert TIMEOUT, now server will only get stuck waiting to receive until timeout is reached.
6. Now server has a way to back out and see that the client has disconnected and aborts the session.

NON-BLOCKING MODE:

1. <same as 1 in blocking mode>
2. <same as 2 in blocking mode>
3. <same as 3 in blocking mode>
4. Server checks to see if there is data. No data waiting, returns immediately in non-blocking mode.
5. No need for a timeout
6. server always returns regardless of data or not, sees that the client has disconnected and aborts the session.

There are two layers that play a role in non-blocking, the TCP/IP layer and the TLS layer. Could you make sure that the TCP/IP socket is also configured non-blocking at the TCP level? If you are still getting a TIMEOUT while using WOLFMQTT_NONBLOCK, that means non-blocking mode is not completely configured correctly.


Best Regards,

Kaleb

Go to forum: wolfMQTT

540 Reply by Kaleb J. Himes

(6 replies, posted in wolfSSL)

Hi muyouyuwan,

I just wanted to check back today on how your project is going. If possible can you share any details of what it is you're working on and what are the end goals for the project?

Of course if you have any other questions please let us know, wolfSSL is always happy to help in any way we can.


Best Regards,

Kaleb

Go to forum: wolfSSL

541 Reply by Kaleb J. Himes

(1 replies, posted in wolfSSL)

Hi djohnson,

PKCS 5 v2.1 is definitely something we could add but as you noted we don't have it yet. For new feature requests tracking, if it's not too much trouble, could you shoot an email to "support@wolfssl.zendesk.com" so I can more easily track that request.

Also when you send the email could you provide just some high-level overview of the project you are working on, any time-lines you may be aware of for the project etc.

Once I receive the feature request email I'll put you in touch with Rich Kelm and alert him of the request to start discussing the best way to approach this based on your project and any timelines you might have.


Thanks!

Kaleb

Go to forum: wolfSSL

542 Reply by Kaleb J. Himes

(5 replies, posted in wolfCrypt)

Hi Teaspoon,

We are pleased to hear you got it resolved by including options.h header file. Yes unfortunately that is very important, the library can be configured differently than the application which can result in undefined behavior as you experienced.

Thanks for the details on your project! Of course we are curios and always love to hear about the exciting ways or embedded TLS/SSL library is being used! I've looked up the Orthanc website, it looks like this is an open-source storage solution for MRI and other medical data, very exciting!! Let us know how the project comes along and of course if you have any other questions please reach out any time. We are always happy to help in any way we can!


Best Regards,

Kaleb

Go to forum: wolfCrypt

543 Reply by Kaleb J. Himes

(1 replies, posted in wolfMQTT)

Hi M. Colella,

Could you tell us the end goals of your project, what are you working on, what will it do? We love to hear about all the new and exciting ways people are using our embedded TLS/SSL library!

There are many customers using wolfSSL on MQX today. If you execute this google search you will find a lot of hits on the forums here with many helpful suggestions and issues some of our users have had when building for the first time with MQX:

Google Query:

site:wolfssl.com MQX

The guide for building wolfSSL (Formerly known as CyaSSL) can be found on the NXP site here: https://community.nxp.com/thread/338562

Our product comes bundled. It is called "CyaSSL for Kinetis SDK with MQX RTOS"

Once you are up and running with the wolfSSL library the MQTT guide can be found here: https://wolfssl.com/wolfSSL/Docs-wolfmqtt-manual.html

It should not be too difficult to port MQTT as all the underlying security relies on the wolfSSL library which has already been ported. Once you get to that step though, if you have any trouble please let us know, we are happy to help any way we can.

We have not personally ported our MQTT solution to MQX yet as it is still a newer product but we're happy to assist you in the effort.

Thank you for using the wolfSSL Forums!


Best Regards,

Kaleb

Go to forum: wolfMQTT

544 Reply by Kaleb J. Himes

(6 replies, posted in wolfSSL)

Hi muyouyuwan,

By default a client should always do peer authentication to verify the server the client is connecting to is the server the client "Thinks" it is and not some man-in-the-middle pretending to be the server. So the client will use these API's

CLIENT:

wolfSSL_CTX_load_verify_(locations/buffer) -> Where the file/buffer being loaded contains the SERVERS Root CA.
wolfSSL_CTX_use_private_key_(file/buffer) -> Where the private key being loaded is the CLIENTS Private key
wolfSSL_CTX_use_certificate_(file/buffer) -> Where the certificate being loaded is the CLIENTS certificate

Next, 99% of all servers in the world DO NOT do client authentication since just about anyone is allowed to connect to a server. Google for example does not have a copy of every certificate burned into every laptop in the world to do client authentication with, that is a LOT of certificates. HOWEVER if you do want to do client authentication then the server would use the same API's but in the "wolfSSL_CTX_load_verify_(locations/buffer) the server would load the Root CA that signed the clients certificate:

SERVER:

wolfSSL_CTX_load_verify_(locations/buffer) -> Where the file/buffer being loaded contains the CLIENTS Root CA.
wolfSSL_CTX_use_private_key_(file/buffer) -> Where the private key being loaded is the SERVERS Private key
wolfSSL_CTX_use_certificate_(file/buffer) -> Where the certificate being loaded is the SERVERS certificate


Regards,

Kaleb

Go to forum: wolfSSL

545 Reply by Kaleb J. Himes

(5 replies, posted in wolfSSL)

Hi Nimesh,

Ok thanks for confirming the need for client authentication.

To correctly do client-auth you need to load the CA that signed the client's certificate on the server side with the API wolfSSL_CTX_load_verify_locations(Take file input) or wolfSSL_CTX_load_verify_buffer(takes buffer input if you don't have a file system) prior to the client connecting to the server. You can see examples of this being done in <wolf-root>/examples/server/server.c when "doCliCertCheck" is set to 1 (by default).


Best Regards,

Kaleb

If the clients certificate is self-signed then you need to load the clients actual certificate with that API on the server prior to the client connecting.

Go to forum: wolfSSL

546 Reply by Kaleb J. Himes

(3 replies, posted in wolfSSL)

Hi belussi,

We have an example of doing certificate generation here: https://github.com/wolfSSL/wolfssl-exam … gen/test.c

You would simply modify the section on lines 97 - 114 (https://github.com/wolfSSL/wolfssl-exam … test.c#L97)

/*---------------------------------------------------------------------------*/
/* Generate new ecc key */
/*---------------------------------------------------------------------------*/
    printf("initializing the rng\n");
    ret = wc_InitRng(&rng);
    if (ret != 0) goto fail;

    printf("Generating a new ecc key\n");
    ret = wc_ecc_init(&newKey);
    if (ret != 0) goto fail;

    ret = wc_ecc_make_key(&rng, 32, &newKey);
    if (ret != 0) goto fail;

    printf("Successfully created new ecc key\n\n");
/*---------------------------------------------------------------------------*/
/* END */
/*---------------------------------------------------------------------------*/

To use the ECC key provided by the ATECC508A module instead of creating a new one with the software, retrieve it from the hardware.

I tried to provide "step-by-step" comments to make it easy to understand the flow of what is happening in the certificate generation example but if you have any questions please let me know.


Warm Regards,

Kaleb

Go to forum: wolfSSL

547 Reply by Kaleb J. Himes

(5 replies, posted in wolfCrypt)

Hi Teaspoon,

Could you tell me more about your project and end goals? What platform are you working on, what architecture?
Have you run the wolfcrypt test application to confirm the underlying crypto is working on your platform?

( <wolf-root>/wolfcrypt/test/test.c )

I ask because I literally just copy/pasted your code, compiled it and my result was:

kalebs-MBP:support-forums-IV-being-changed-3-apr-2016 khimes$ ./run 

IV before SetKey(Encrypt): 31 32 33 34 35 36 37 38 39 30 61 62 63 64 65 66 
IV  after SetKey(Encrypt): 31 32 33 34 35 36 37 38 39 30 61 62 63 64 65 66 
 aesEncrypt.reg  contents: 31 32 33 34 35 36 37 38 39 30 61 62 63 64 65 66 
IV  after SetKey(Decrypt): 31 32 33 34 35 36 37 38 39 30 61 62 63 64 65 66 
 aesDecrypt.reg  contents: 31 32 33 34 35 36 37 38 39 30 61 62 63 64 65 66 
Plain1: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 00 
AAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
Padded: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 00 05 05 05 05 05 
Cipher: 8A D4 F6 7D 53 E1 FA 88 36 9C 83 00 D8 A5 1A 60 FB 26 CC A5 22 46 AA F2 2E 9A 5A 40 9E AD EE 7B ED 35 48 36 9E D5 4D E3 7B CD 5A 1D 3D 85 A7 70 DE 86 3C 27 61 0E 00 14 B2 69 34 03 3A 2C 25 0E 
Plain2: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 00 
AAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB

I also noticed you did not include <wolfssl/options.h> or <wolfssl/wolfcrypt/settings.h> in your project. You should include the same settings file that you used to configure wolfSSL library so your application and the library are not in conflict. If the library and the application linking against the library are in conflict you may experience undefined behavior.

Let me know some more details so we can narrow down why you are seeing this result on your platform/device.


Warm Regards,

Kaleb

Go to forum: wolfCrypt

548 Reply by Kaleb J. Himes

(3 replies, posted in wolfSSL)

Hi belussi,

We are happy to help with anything wolfSSL related. We have no experience configuring Apache to use keys from a hardware module, I apologize. Have you contacted Apache support in regards to this?

https://httpd.apache.org/support.html


Regards,

Kaleb

Go to forum: wolfSSL

549 Reply by Kaleb J. Himes

(5 replies, posted in wolfSSL)

I would recommend disabling client authentication on the server side. IE on the server you would not want to use the API "wolfSSL_CTX_set_verify"

If you do not call that API then client authentication will be disabled by default.

Do you intend to do client auth?

- Kaleb

Go to forum: wolfSSL

550 Reply by Kaleb J. Himes

(6 replies, posted in wolfSSL)

Hi muyouyuwan,

However, server-side load certchain.cert instead of ca.cert, the Verification is not OK.

It appears you are doing client authentication on the server, is that your intent? I ask because 99% of all servers in the world do not do client authentication as that would require having the Certificate Authority for every client you ever expect to connect to that server. This creates a lot of overhead unless you have a very specific use-case and you DO want to guarantee that only clients with certificates signed by a specific CA can connect to your server. I just want to make sure you actually intend to be doing this.

And the -188 error is printed in the server-side function VerifyCallback().
I made the certification chain by writing server.cert and ca.cert to a new file certchain.cert.
Is this method of make certification chain correct?
And What can be the cause of the error -188 and how can I solve this?
Thank You.

To do client authentication (if that is your desire) the chain loaded into the "VerifyLocations" should be "client-cert" and the "ca cert" (more specifically, the ca that signed the client certificate). In our test certs the <wolf-root>/certs/ca-cert was used to sign both the client and the server certs, that's why you can load just the ca and be ok but then if you place the server cert in the chain, the server cert never was part of the clients chain so the verification will fail.

Regards,

Kaleb

Go to forum: wolfSSL