You are not logged in. Please login or register.
Please post questions or comments you have about wolfSSL products here. It is helpful to be as descriptive as possible when asking your questions.
ReferenceswolfSSL - Embedded SSL Library → Posts by Kaleb J. Himes
UPDATE on related threads "SiFive":
https://github.com/wolfSSL/wolfssl/pull/2456
Support for SiFive HiFive Unleashed board
- KH
Hi valcroft,
Rather than freeing the context (which will also free the context handlers) could you try only freeing and re-creating the SSL object?
If you do need to free the context factory you should try calling wolfSSL_Cleanu()p and wolfSSL_Init() also before proceeding but it isn't ideal.
- KH
Hi harish,
Where did you download wolfSSL from? Did it come from: https://www.wolfssl.com/download/ or somewhere else?
Warm Regards,
KH
Hi @rafaelzingler,
Are you at the absolute maximum of available heap? Often times you simply need to increase whatever the default heap settings are. Also you can try to reduce memory usage with:
USE_SLOW_SHA256
USE_SLOW_SHA512
You can further reduce overall memory useage (increases heap usage, reduces stack usage) by removing the USE_FAST_MATH setting and reducing stack but slightly increasing heap.
Warm Regards,
KH
Hi @rafaelzingler,
Ahh so it must be coming from some other cert in the chain that uses SHA384 then. Yes can you try adding the settings:
WOLFSSL_SHA512
WOLFSSL_SHA384 // Truncated sha512 so you need sha512 enabled too!
OR
--enable-sha512 --enable-sha384
Let us know if that works.
Warm Regards,
KH
Hi @rafaelzingler,
Notice the error code -232 while processing the cert, this means the hash type used is not enabled/supported. That cert uses sha1. Could you check your settings and see if NO_SHA is being defined? If so could you remove that setting and test again with SHA1 enabled?
Warm Regards,
K
Our team is seeking valuable insight/feedback from the community on the current direction of libcurl development!
Please do not miss out on this opportunity and head over to the following link to voice your preferences, don't miss the custom option at the end of the survey if the current options do not fit your preference please suggest what you would MOST like to see worked on in libcurls' immediate future!
https://docs.google.com/forms/d/e/1FAIp … A/viewform
Thanks for your time and valuable/coveted feedback!
Regards,
The wolfSSL/libcurl team
Please try using this one instead and let us know if the issue resolves (Thank you for sending the domain)
Warm Regards,
K
Hi rafaelzingler,
There is nothing wrong with your settings, the -188 error code means you just haven't loaded the right cert in to validate the peer you are connecting to!
The API wolfSSL_CTX_load_verify_buffer is most common on embedded devices unless you have a file system in which case you can use wolfSSL_CTX_load_verify_locations instead. You want to load the Root CA that signed the peer cert chain.
If you have any trouble finding the right cert to load please send us the IP of a public server we can connect to and we'd be happy to track down the right cert for you.
Warm Regards,
KH
agoswam,
Can you tell us where the signature came from and how it was generated initially? If there is DER encoding in front of the signature is it possibly PKCS8 encoded? Can you try calling wc_GetPkcs8TraditionalOffset on the signature first and check the return code of that function? If wc_GetPkcs8TraditionalOffset returns a zero (success) can you try stripping off the PKCS8 header before verifying the signature?
If it is not a PKCS8 encoded signature do you know how it was encoded initially?
Warm Regards,
K
Hi agoswam,
Both hashes are now 51 bytes long
You indicated the digest size is 51 which may be the source of the issue. You are passing WC_HASH_TYPE_SHA256 which has a digest of only 32-bytes not 51.
A SHA256 digest is 32-bytes long,
A SHA384 digest is 48-bytes long,
and
A SHA512 digest is 64-bytes long.
There are no digests that are 51 bytes long. Can you double check the digest length?
Warm Regards,
K
These issues were fixed as of PR: https://github.com/wolfSSL/wolfssl/pull/2328
Fixes are in release 4.1.0
- KH
Hi Oytis,
Thank you for reaching out with your question. As noted in the comment the valid use case for the callback function that can always return success is when you are using a Hardware Security Module to check the signature for you (ATECC508A/608A, ST Safe, etc). There is no need to check the signature twice, that just wastes computation cycles that could be spend on more interesting tasks.
The valid use case for checking the signature that was generated is if you wish to ensure the signature is valid before sending it. Imagine you have a backend system that can crank out thousands of signatures but you're sending those signatures to embedded systems that take on the order of 10's or 100's of seconds to perform a verify operation. You can save some time by checking the signatures are correct on the backend before shipping them to the field devices rather then sending a bad one, having the field device fail, and then sending another. Our library is designed with embedded systems in mind and we provide some unique functionality for those of our users that have requested it.
Please let us know if you have any other questions!
Warm Regards,
KH
Hi @prateekkhatri,
Please see the "Building on *NIX" section of the wolfMQTT manual here: https://www.wolfssl.com/docs/wolfmqtt-m … z7uhcww9nn
The examples should be built with the execution of ./configure && make
For documentation on using/testing each of the examples see Chapter 3 "Getting Started" here: https://www.wolfssl.com/docs/wolfmqtt-m … bjm2iigup4
Warm Regards,
KH
Hi JMG,
Can you tell us a bit about the project and what/who is driving the effort?
To start please uncomment the define FREERTOS in wolfssl-root/wolfssl/wolfcrypt/settings.h and add the define WOLFCRYPT_ONLY to disable SSL/TLS functionality for just the crypto.
Please let us know if you encounter any issues as you get started!
Warm Regards,
K
Hi @agoswam,
Have you seen the wolfSSL secure boot solution, wolfBoot? If not could you read the overview in the README, is that along the lines of what you are seeking? https://github.com/wolfSSL/wolfBoot/blo … /README.md
IE a way to verify a firmware update or is your use-case something else? If the use case is something else please briefly describe the use-case and what/who is driving the effort.
Warm Regards,
K
@torntrousers,
On TLS 1.3, we recently posted a blog with the required settings to use for TLS 1.3 when not using ./configure to build, this was a blog for building on windows https://www.wolfssl.com/building-wolfss … 3-windows/
You can apply those same settings to user_settings.h in the arduino build!
#define WOLFSSL_TLS13
#define HAVE_TLS_EXTENSIONS
#define HAVE_SUPPORTED_CURVES
#define HAVE_ECC
#define HAVE_HKDF
#define HAVE_FFDHE_8192
#define WC_RSA_PSSYou noted the available heap was roughly 21k, how much stack was available? For an ECDHE_ECDSA you can usually get it down to about 12k stack, 16k heap for a handshake (varies slightly depending on number of certs in chain from the peer). Chapter 2 of the wolfSSL manual has a section for reducing resource usage https://www.wolfssl.com/documentation/w … Manual.pdf
Checkout Chapter 2 section 2.4.7 Reducing Memory Usage.
Let us know if you are able to get it working on the ESP8266 using some of the finer resource usage reduction settings!
If not those aren't enough try these also:
#define NO_RSA // Disable RSA entirely
// Assuming the setting USE_FAST_MATH is used for these next ones:
#define ECC_USER_CURVES // disable all curves except SECP256r1
#define FP_MAX_BITS 512 // Set to just large enough for 256-bit curves since no RSA is enabled.Warm Regards,
KH
Hi @torntrousers,
This can be caused by a memory / resource limitation, can you tell us how much heap/stack your device has available and which configuration settings you are using?
Since the cipher suite negotiated is ECDHE_ECDSA if you are not already using the setting
#define ALT_ECC_SIZEcould you set that and try again and let us know if that resolves the issue?
Warm Regards,
K
Anil,
Good deal! Happy to hear you identified the root cause. Let us know if anything else comes up!
- KH
Hi Anil,
We have a few examples in wolfcrypt/test/test.c, have you tried comparing your application code to how we do it in our testing?
Warm Regards,
KH
NOTE: Being worked on via zendesk through support@wolfssl.com
Hi mzimmers,
1) wolfSSL has been built on multiple SAM devices, no specific porting changes have been required to date to get it setup.
2) Either option is fine, you can build the sources and headers directly or create a stand alone library and link it, your preference.
3) Download wolfSSL and edit the file wolfssl-root/wolfssl/wolfcrypt/settings.h, uncomment the define for FREERTOS. Add the FreeRTOS header paths to your project include path and begin development!
Please let us know if you have any questions as you get started.
Warm Regards,
KH
PKLApps,
TLS 13 wasn't added until release 3.12.0 and at that time it was still in draft form. Please try testing with release 4.0.0 and let us know if you have any issues.
Warm Regards,
KH
Tammy,
That is good to hear! I will review the list and try to get updates for each of these that are not yet in the documentation. I've opened a PR to resolve the NO_HMAC with wolfcrypt only when not using the configure script to run the build here: https://github.com/wolfSSL/wolfssl/pull/2365
Warm Regards,
KH
Hi Tammy,
I see several defines in the above list that would be conflicting. For example HAVE_FAST_RSA means you are on an Intel box with the Intel IPP libraries available. HAVE_CAVIUM_V would indicate you are on running on a CAVIUM part and not an Intel part, the two together do not reflect a traditional use case for example, were those really being used together previously? Another conflict is BIG_SESSION_CACHE and HUGE_SESSION_CACHE, you can set one or the other but not both.
Were all of these settings really being used at the same time previously or are you just listing everything? Many of these are documented in the manual here: https://www.wolfssl.com/documentation/w … Manual.pdf
See Chapter 2 section 2.4 and the appropriate sub-section and we are in a release cycle right now so more settings will be added when the new manual is published. Perhaps you can provide a list of settings you are actively using and note when a feature is turned on if it causes errors or not and we can evaluate those?
Warm Regards,
KH
wolfSSL - Embedded SSL Library → Posts by Kaleb J. Himes
Powered by PunBB, supported by Informer Technologies, Inc.
Generated in 0.030 seconds (61% PHP - 39% DB) with 4 queries