726

(10 replies, posted in wolfSSL (formerly CyaSSL))

Hi alexander79,

I can not fix your code unfortunately. I have never worked in or with C++ or C# unfortunately and cannot get your code to compile in a reasonable amount of time. What I will do is post two examples of an example client and server in our examples directory on github. You can view the code there and try to translate that into your working language/environment.

Link to client: https://github.com/wolfSSL/wolfssl-exam … ls-ecdhe.c

Link to server: https://github.com/wolfSSL/wolfssl-exam … ls-ecdhe.c

I am also including a diff of the base client with the ecdh additions so you can see what changes were made:

Client diff:

--- client-tls.c    2015-08-28 14:02:17.000000000 -0600
+++ client-tls-ecdhe.c    2015-08-28 13:44:15.000000000 -0600
@@ -23,12 +23,14 @@
 #include    <string.h>
 #include    <errno.h>
 #include    <arpa/inet.h>
+#include    <wolfssl/options.h>
 #include    <wolfssl/ssl.h>          /* wolfSSL security library */
+#include    <wolfssl/test.h>
 
 #define MAXDATASIZE  4096           /* maximum acceptable amount of data */
 #define SERV_PORT    11111          /* define default port number */
 
-const char* cert = "../certs/ca-cert.pem";
+const char* cert = "../certs/server-ecc.pem";
 
 /*
  * clients initial contact with server. (socket to connect, security layer)
@@ -68,6 +70,10 @@
     WOLFSSL_CTX* ctx;
     WOLFSSL*     ssl;    /* create WOLFSSL object */
     int         ret = 0;
+    const char* myCert        = "../certs/client-ecc-cert.pem";
+    const char* myKey         = "../certs/ecc-client-key.pem";
+    char* cipherList          = "ECDHE-ECDSA-CHACHA20-POLY1305";
+    char buffer[WOLFSSL_MAX_ERROR_SZ];
 
     wolfSSL_Init();      /* initialize wolfSSL */
 
@@ -77,11 +83,25 @@
         return EXIT_FAILURE;
     }
 
+    if (wolfSSL_CTX_set_cipher_list(ctx, cipherList) != SSL_SUCCESS)
+            err_sys("client can't set cipher list 1");
+
+    if (wolfSSL_CTX_use_certificate_chain_file(ctx, myCert)
+                                                               != SSL_SUCCESS)
+            err_sys("can't load client cert file, check file and run from"
+                    " wolfSSL home dir");
+
+    if (wolfSSL_CTX_use_PrivateKey_file(ctx, myKey, SSL_FILETYPE_PEM)
+                                         != SSL_SUCCESS)
+            err_sys("can't load client private key file, check file and run "
+                    "from wolfSSL home dir");
+
     /* load CA certificates into wolfSSL_CTX. which will verify the server */
     if (wolfSSL_CTX_load_verify_locations(ctx, cert, 0) != SSL_SUCCESS) {
         printf("Error loading %s. Please check the file.\n", cert);
         return EXIT_FAILURE;
     }
+
     if ((ssl = wolfSSL_new(ctx)) == NULL) {
         printf("wolfSSL_new error.\n");
         return EXIT_FAILURE;
@@ -91,8 +111,14 @@
     ret = wolfSSL_connect(ssl);
     if (ret == SSL_SUCCESS) {
         ret = ClientGreet(sock, ssl);
+    } else {
+        printf("Failure:");
+        ret = wolfSSL_get_error(ssl, 0);
+        printf(" ret = %d", ret);
+        printf(" %s\n", wolfSSL_ERR_error_string(ret, buffer));
     }
 
+
     /* frees all data before client termination */
     wolfSSL_free(ssl);
     wolfSSL_CTX_free(ctx);

Server diff:

--- server-tls.c    2015-08-28 14:05:27.000000000 -0600
+++ server-tls-ecdhe.c    2015-08-28 14:06:19.000000000 -0600
@@ -32,6 +32,7 @@
 #include <netinet/in.h>
 #include <stdlib.h>
 #include <errno.h>
+#include <wolfssl/options.h>
 
 /* include the wolfSSL library for our TLS 1.2 security */
 #include <wolfssl/ssl.h>
@@ -124,6 +125,7 @@
     int ret      = 0; /* Return value */
     /* Server and client socket address structures */
     struct sockaddr_in serverAddr, clientAddr;
+    char* cipherList = "ECDHE-ECDSA-CHACHA20-POLY1305";
 
     /* Initialize wolfSSL */
     wolfSSL_Init();
@@ -141,7 +143,7 @@
     }
 
     /* Load server certificate into WOLFSSL_CTX */
-    if (wolfSSL_CTX_use_certificate_file(ctx, "../certs/server-cert.pem",
+    if (wolfSSL_CTX_use_certificate_file(ctx, "../certs/server-ecc.pem",
                 SSL_FILETYPE_PEM) != SSL_SUCCESS) {
         fprintf(stderr, "Error loading certs/server-cert.pem, please check"
                 "the file.\n");
@@ -149,13 +151,16 @@
     }
 
     /* Load server key into WOLFSSL_CTX */
-    if (wolfSSL_CTX_use_PrivateKey_file(ctx, "../certs/server-key.pem",
+    if (wolfSSL_CTX_use_PrivateKey_file(ctx, "../certs/ecc-key.pem",
                 SSL_FILETYPE_PEM) != SSL_SUCCESS) {
         fprintf(stderr, "Error loading certs/server-key.pem, please check"
                 "the file.\n");
         return EXIT_FAILURE;
     }
 
+    if (wolfSSL_CTX_set_cipher_list(ctx, cipherList) != SSL_SUCCESS)
+            printf("client can't set cipher list 1");
+
     /* Initialize the server address struct to zero */
     memset((char *)&serverAddr, 0, sizeof(serverAddr));
 

727

(10 replies, posted in wolfSSL (formerly CyaSSL))

Hi Alexander79,

1) use one of the following functions to set the DH parameters:

wolfSSL_SetTmpDH(ssl, p, sizeof(p), g, sizeof(g));

or

wolfSSL_CTX_SetTmpDH(ctx, p, sizeof(p), g, sizeof(g));

2) by setting the cipher list this tells the server what ciphers the client supports. The server will select the strongest option that it and the client both support for use of the session

Client can store certificate and keys in the same way we store them in the file wolfssl/certs_test.h if there is no file system

You can read more about these and more here:  https://www.wolfssl.com/wolfSSL/Docs-wo … rence.html

or in our API documentation here:
http://wolfssl.com/wolfSSL/Docs-wolfssl … rence.html

Kind Regards,

Kaleb

728

(10 replies, posted in wolfSSL (formerly CyaSSL))

Hi Alexander79,

For question 1:
The server is going to connect to the socket and call wolfSSL_accept() where it will wait to read 5 bytes (ssl record header). If after reading the 5 byte record header the server determines whether the connection is not a TLS connection wolfSSL_accept() will return an error code which your application can then check. At that point your application can do whatever you desire with the socket. example:

if (wolfSSL_accept(ssl) != SSL_SUCCESS)                                     
      {                                                                           
          int err = wolfSSL_get_error(ssl, 0);                                    
          char buffer[WOLFSSL_MAX_ERROR_SZ];                                      
          printf("error = %d, %s\n", err, wolfSSL_ERR_error_string(err, buffer)); 
          /*err_sys("SSL_accept failed");*/                                                              
      }

Question 2:
You will need to use DHE or ECDHE based cipher suite. You can set these by using wolfSSL_CTX_set_cipher_list() this function is defined in wolfssl/ssl.h. example:

if (wolfSSL_CTX_set_cipher_list(cipherSuiteCtx, suite) == SSL_SUCCESS)
      valid = 1

For negotiating the ephemeral key you will have to load a public and private key file however the ephemeral key will automatically be negotiated internally in our libraries.

Load public key:

         if (SSL_CTX_use_certificate_file(ctx, ourCert, SSL_FILETYPE_PEM)        
                                          != SSL_SUCCESS)
                         err_sys("can't load server cert file, check file and run from"      
                     " wolfSSL home dir");

Load private key:

         if (SSL_CTX_use_PrivateKey_file(ctx, ourKey, SSL_FILETYPE_PEM)          
                                          != SSL_SUCCESS)                        
             err_sys("can't load server private key file, check file and run "   
                 "from wolfSSL home dir");

Kind Regards,

Kaleb

729

(10 replies, posted in wolfSSL (formerly CyaSSL))

Hi Alexander79,

Thank you for your question. I am looking into it and will have an answer for you shortly.

Regards,

Kaleb

Hi Steve,

Thank you for the project details! I wanted to check back and see if those configure options got you to your target footprint or close?


Kind Regards,

Kaleb

Hi sungyun,

What functionality were you looking for in your project. What is the overall goal of your project? Perhaps with a little better understanding we may better support your efforts.

Kind Regards,

Kaleb

732

(5 replies, posted in wolfSSL (formerly CyaSSL))

Hi cfarrin,

That is excellent news. I am glad you were able to resolve the issue!

Regards,

Kaleb

733

(5 replies, posted in wolfSSL (formerly CyaSSL))

Hi cfarrin,

A colleague of mine also reminded me that if you build our libraries with the --enable-session-ticket to then ensure that you have included our options header in your project as that will pull in the definitions I mentioned above. This can be accomplished as follows:

#include <wolfssl/options.h>

Kind Regards,

Kaleb

734

(5 replies, posted in wolfSSL (formerly CyaSSL))

Hi cfarrin,

Did you define HAVE_SESSION_TICKET or configure with the option --enable-session-ticket? If not try this compile option:

gcc xxx.c -o xxx -lm -lwolfssl C_EXTRA_FLAGS="-DHAVE_SESSION_TICKET"

If you have and that is not the issue respond to this and I will look into it further.

Kind Regards,

Kaleb

Hi Steve,

For our curiosity here at wolfSSL could you tell us a little more about your project, end goals, what it's being used for etc. We love getting feedback from our customers!

Here is a list of the pre-processor definitions we use when targeting a 21k build. If you are building with autoconf system you can see corresponding configure options with ./configure -h

WOLFSSL_LEANPSK
HAVE_NULL_CIPHER
SINGLE_THREADED
NO_AES
NO_FILESYSTEM
NO_RABBIT
NO_RSA
NO_DSA
NO_DH
NO_CERTS
NO_PWDBASED
NO_DES3
NO_MD4
NO_MD5
NO_ERROR_STRINGS
NO_OLD_TLS
NO_RC4
NO_WRITEV
NO_SESSION_CACHE
NO_DEV_RANDOM
WOLFSSL_USER_IO
NO_SHA
USE_SLOW_SHA
BUILD_SLOWMATH                                                     
SINGLE_THREADED

Thanks for contacting us with your question

Kind Regards,

Kaleb

Hi Subhash,

That is good news. Glad you were able to get it working!

Regards,

Kaleb

Hi Subhash,

I just checked and indeed the example client does not work with the latest software packages from TI. TI has updated a lot since last year when those projects were made including packaging ndk inside the tirtos_for_tivac as opposed to it being a stand-alone product. I will go through tomorrow and update our examples to work with the latest TI software. I can not promise they will be complete tomorrow but I will start with the client and ping you when I have a working client up on github. If you need the examples to work before such time as I get updated projects posted please refer to this readme to replicate the exact environment the examples were created in:

https://github.com/wolfSSL/wolfssl-exam … L%20README

Kind Regards,

Kaleb

Hi delphiwolf,

In January our library underwent a name change from CyaSSL to wolfSSL the cyassl and ctaocrypt directories now contain bakwards-compatibility files for clients who had the library prior to the name change. This way if they update to our newest release any existing projects they have will still compile with the old API calls.

If you are starting fresh with the latest API and do not need backwards compatibility in most cases they will not be needed.
Cases when they would be needed:
      1. Some of our example projects if you decide to use them may reference an old API call that was left in place for
          compatibility testing.
      2. If working in a Unix/Linux environment and building our library with auto tools, Makefile.am will expect cyassl and
          ctaocrypt directories to be there and will fail if they are not.
      3. Some files have the line "#include <cyassl/ssl.h>" for backwards compatibility. If you get an error saying the file cannot
          be opened simply remove that line if you do not need that functionality.

While working on your projects should you decide to remove cyassl/ and ctaocrypt/ directories and you come across an error like the following: "Undefined reference to CyaSSL_get_cipher did you mean wolfSSL_get_cipher?" that is an example of the compatibility layer not being in place simply change the name and you will be linking against the new API. for a complete list of the name changes reference cyassl/ssl.h.

Kind Regards,

Kaleb

Hi sissiok. Are you using fastmath? I ask because this will modify the behavior of wc_freeDhKey. If you are unsure please reference options.h and see if fastmath is defined in there.

Regards

Hi sbernard,

Firstly thank you so much for the details of your project!

I discussed your issue with the team last night. By commenting out this line in our example server:

503 //        SSL_CTX_use_psk_identity_hint(ctx, "cyassl server");

We were able to reproduce your error.

A commit has been made to fix the bug. If you clone our github development branch (https://github.com/wolfSSL/wolfssl.git) you should now be able to test successfully against scandium server (we have not tested against scandium ourselves but will if you have any other complications). Thank you so much for contacting us with your issue! It has been highly helpful and we hope we have helped you in turn.

My Sincerest Regards,

Kaleb

Hi sbernard,

Apologies for the time to get back to you. Could you help me to understand the full scope of your project, end goal, why is scandium server necessary etc. It would help when discussing with the wolfSSL team.

In regards to your last, we are looking into it and will get back to you as soon as possible. If you have any other questions in the meantime please do not hesitate to reply here or open a new case.

My Sincerest Regards,

Kaleb

742

(5 replies, posted in wolfSSL (formerly CyaSSL))

Hi sbernard,

Try using the following options. I am providing flags for both server and client in the case you would like to test wolfSSL internally before testing an external connection:

For TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8

Server options:

./examples/server/server -u -v 3 -l ECDHE-ECDSA-AES128-CCM-8 -c ./certs/server-ecc.pem -k ./certs/ecc-key.pem

Client options:

./examples/client/client -u -v 3 -l ECDHE-ECDSA-AES128-CCM-8 -A ./certs/server-ecc.pem

To read more about these options and flags please use:

./examples/server/server -help

Hi sbernard,

The following options are what you're looking for to get TLS_PSK_WITH_AES_128_CBC_SHA256

Server options:

./examples/server/server -s -u -v 3 -l PSK-AES128-CBC-SHA256

Client options:

./examples/client/client -s -u -v 3 -l PSK-AES128-CBC-SHA256

TLS_PSK_WITH_AES_128_CCM_8

Configure options:

./configure --enable-psk --enable-dtls --enable-aesccm

Server options:

./examples/server/server -s -u -v 3 -l PSK-AES128-CCM-8

Client options:

./examples/client/client -s -u -v 3 -l PSK-AES128-CCM-8

A colleague of mine wanted me to also point out that the flags following the "-l" option can be found in <wolfssl-root>/src/internal.c in:

static const char* const cipher_names[] 

Hi Jeff,

I will do all I can to assist in this. Could you help me to better realize the full scope and detail of your project? I have reviewed your question and reached out to one of our contacts over at TI. He said

The MSP430 devices can be used with SimpleLink CC3100 WiFi devices which have different network and TLS stack. I am guessing the customer is using a WiFi device. If that’s true, then I wonder why the customer would need WolfSSL as there is support for TLS on the WiFi devices.

I suggest that you redirect the customer to http://e2e.ti.com/support/embedded/tirtos/ forum.  We  can help answering the question.

Other sources that may be helpful:

Porting to new environments
http://wolfssl.com/wolfSSL/Docs-wolfssl … guide.html

wolfSSL Texas Instruments Support
http://wolfssl.com/wolfSSL/wolfssl-ti.html

http://processors.wiki.ti.com/index.php … th_TI-RTOS

I hope this helps and look forward to assisting you in any way I can. Please do not hesitate to reach out if you have further questions.

Kind Regards,

Kaleb

Hi sissiok,

That is indeed strange. I don't know if it would solve it but perhaps having a project header:

Project.hpp
         #include files here

then include Project.hpp in both the main.c and in the Rsa_gen file?

Somehow the correct headers must not be getting included in both locations.

On the other topic. Thank you so much for you feedback on your project goals, we appreciate it!


Kind Regards,

Kaleb

746

(4 replies, posted in wolfSSL (formerly CyaSSL))

Hi ciruzzo,

Thank you so much for your feedback on the project we'll be discussing it today in our team meeting. If we think of anything that might help you solve your problem someone will be in touch!

Kind Regards,

Kaleb

Hi sissiok,

I just copied your code and did a quick run of it. I can not reproduce the error in discussion. I am attaching my source file. I had to update your main function as it was missing the argc and argv variables. In the source file you'll see the include options I used.

I am using OSX for testing. What environment are you working in. Perhaps it is an OS specific issue in which case we would like to narrow that down.

Here is my valgrind report:

kalebs-MBP:testDir khimes$ valgrind ./run 
==51474== Memcheck, a memory error detector
==51474== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==51474== Using Valgrind-3.11.0.SVN and LibVEX; rerun with -h for copyright info
==51474== Command: ./run
==51474== 
--51474-- ./run:
--51474-- dSYM directory is missing; consider using --dsymutil=yes
==51474== 
==51474== HEAP SUMMARY:
==51474==     in use at exit: 34,907 bytes in 425 blocks
==51474==   total heap usage: 559 allocs, 134 frees, 48,994 bytes allocated
==51474== 
==51474== LEAK SUMMARY:
==51474==    definitely lost: 16 bytes in 1 blocks
==51474==    indirectly lost: 0 bytes in 0 blocks
==51474==      possibly lost: 13,018 bytes in 115 blocks
==51474==    still reachable: 21,873 bytes in 309 blocks
==51474==         suppressed: 0 bytes in 0 blocks
==51474== Rerun with --leak-check=full to see details of leaked memory
==51474== 
==51474== For counts of detected and suppressed errors, rerun with: -v
==51474== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)

Here at wolfSSL we love hearing what customers are doing with our library is there any way you could provide us with a quick summary of your project and in what way we're helping you to accomplish your end goal?

Kind Regards,

Kaleb

Hi sissiok,

Just to double check have you included options.h header in your project and is it in scope of the file you're working with?

We're confident in RSA_genkey and it's been thouroughly vetted with valgrind on every release. My guess would be the definition of RsaKey or RNG is not getting pulled in somehow and it's being treated as a pointer and not a stucture.

Essentially an invalid write of size 8 is usually something that should be larger and is instead the size of a pointer. This line ==16570==  Address 0xfff001458 is not stack'd, malloc'd or (recently) free'd tells us that one of the parameters or one of the local variables is either not on the stack, has not been malloced yet, or has already been malloced previously somewhere, modified, and not freed before being called here.

Kind Regards,

Kaleb

Hi sissiok,

Have you tried printing out "sizeof(der)" as it's being passed into the function?

When you call sizeof on a function parameter it most likely is the size of the pointer that points to the variable and not the size of the actual variable. The pointer is likely 8 bytes and you've attempted to write something larger than 8. This would explain "==16570== Invalid write of size 8".

Make sure you are passing the actual size of the variable der and not what "sizeof" returns when you call it on a function parameter.

Kind Regards,

Kaleb

750

(2 replies, posted in wolfSSL (formerly CyaSSL))

Hi again blink,

Upon further discussion we've realized what you accomplished by modifying our values. By changing those pre-defined values that define a specific Elliptic Curve you have in fact invented your own custom Elliptic Curve that works with itself however will not be interoperable with anyone else using ECC as they will not be using the same Elliptic Curve that you are.

Essentially you have created a bug that will be exposed between yourself and any other version of ECC out there, but you will never see an error in local testing as the bug exists internally in your library and therefore is picked up by any program using that library.

I hope this helps you understand the results you were seeing.

Kind Regards,

Kaleb