PKLApps,

TLS 13 wasn't added until release 3.12.0 and at that time it was still in draft form. Please try testing with release 4.0.0 and let us know if you have any issues.


Warm Regards,

KH

2

(10 replies, posted in wolfSSL (formerly CyaSSL))

Tammy,

That is good to hear! I will review the list and try to get updates for each of these that are not yet in the documentation. I've opened a PR to resolve the NO_HMAC with wolfcrypt only when not using the configure script to run the build here: https://github.com/wolfSSL/wolfssl/pull/2365

Warm Regards,

KH

3

(10 replies, posted in wolfSSL (formerly CyaSSL))

Hi Tammy,

I see several defines in the above list that would be conflicting. For example HAVE_FAST_RSA means you are on an Intel box with the Intel IPP libraries available. HAVE_CAVIUM_V would indicate you are on running on a CAVIUM part and not an Intel part, the two together do not reflect a traditional use case for example, were those really being used together previously? Another conflict is BIG_SESSION_CACHE and HUGE_SESSION_CACHE, you can set one or the other but not both.

Were all of these settings really being used at the same time previously or are you just listing everything? Many of these are documented in the manual here: https://www.wolfssl.com/documentation/w … Manual.pdf

See Chapter 2 section 2.4 and the appropriate sub-section and we are in a release cycle right now so more settings will be added when the new manual is published. Perhaps you can provide a list of settings you are actively using and note when a feature is turned on if it causes errors or not and we can evaluate those?

Warm Regards,

KH

HI pkLAppS,

Sorry for the delay in getting back on this, in 3.15.7 we fixed these three items with TLS 1.3:

Updates to internal code checking TLS 1.3 version with a connection
Removing unnecessary extended master secret from ServerHello if using TLS 1.3
Fix for TLS v1.3 HelloRetryRequest to be sent immediately and not grouped

One of those fixes likely resolved the issue you were seeing. As a note we always recommend using the latest release for the latest and greatest in security and features, we are currently on release 4.0.0 and in a release cycle so version 4.1.0 should be available for download on our website in the next week or two.

Warm Regards,

KH

5

(3 replies, posted in wolfCrypt)

Alfred,

Just checking in to see if you got things working OK?


Regards,

KH

Hi Jim,

Yes it is very possible to run wolfSSL over the TCP layer. We provide a custom IO callback solution that allows users to plug in any send/receive functionality that is available. wolfSSL is completely agnostic to the transport layer meaning if it can read and write data you can do a TLS handshake and securely pass messages through that medium, file system, in memory buffer, over bluetooth, USB serial, traditional TCP/IP, doesn't matter.

We have several reference implementations in wolfssl-root/src/wolfio.c that you can use as a model and we have an example here: https://github.com/wolfSSL/wolfssl-exam … -callbacks that shows doing a secure connection between two apps on the same system using files as the transport layer. Hopefully those references help show how agnostic we are to the transport layer and give you confidence that you can achieve a working solution with wolfSSL using your AT send/receive commands and built in TCP stack.

Let us know if you have any other questions.

Warm Regards,

KH

7

(10 replies, posted in wolfSSL (formerly CyaSSL))

Tammy,

I did find that if not using the configure setup you must also define WOLFSSL_NO_TLS12 explicitly, this is set by the auto-tools but not in a makefile setup or if using settings.h to control the build. I will open a PR to address this.

Warm Regards,

KH

8

(10 replies, posted in wolfSSL (formerly CyaSSL))

Tammy,

Can you tell me what other settings you are using?

$ ./configure --enable-pkcs12 --enable-cryptonly CFLAGS=-DNO_HMAC
$ make
$ ./wolfcrypt/test/testwolfcrypt
------------------------------------------------------------------------------
 wolfSSL version 4.0.0
------------------------------------------------------------------------------
error    test passed!
MEMORY   test passed!
base64   test passed!
asn      test passed!
MD5      test passed!
SHA      test passed!
SHA-224  test passed!
SHA-256  test passed!
SHA-384  test passed!
SHA-512  test passed!
SHA-3    test passed!
Hash     test passed!
GMAC     test passed!
Chacha   test passed!
POLY1305 test passed!
ChaCha20-Poly1305 AEAD test passed!
AES      test passed!
AES192   test passed!
AES256   test passed!
AES-GCM  test passed!
RANDOM   test passed!
RSA      test passed!
DH       test passed!
ECC      test passed!
logging  test passed!
mutex    test passed!
memcb    test passed!
Test complete

**NOTE: The version says version 4.0.0 but this was tested from the github master branch at https://github.com/wolfssl/wolfssl.git, if you are working with a download from the website or specific version please let me know which one and I can test it as well.

Warm Regards,

KH

9

(10 replies, posted in wolfSSL (formerly CyaSSL))

Hi Tammy,

Yes that is the correct document to be using. Here is what I will update the manual section to read:

NO_HMAC removes HMAC from the build.
NOTE: HMAC is a dependency of SSL/TLS but if you are only using wolfCrypt IE build option "WOLFCRYPT_ONLY" then NO_HMAC can be used in this case.

Will that help to clarify it better?

Warmest Regards,

KH

Hi Oytis,

I see, unfortunately at this time we do not have a run time option. Can you provide a brief summary of your use case and why it would be beneficial to have a run time option? I would happy to add it to our list of internal feature requests and just need something to put in the notes for why it would be useful to have an optional run-time switch as opposed to just supported/not supported build time option.


Warmest Regards,

KH

11

(3 replies, posted in wolfCrypt)

Hi Alfred,

Please turn on PKSC7 support with

--enable-pkcs7

. We provide examples of working with PKCS7 enveloped data in both tests/api.c and wolfcrypt/test/test.c and we provide many examples here:

https://github.com/wolfSSL/wolfssl-exam … ster/pkcs7

I think the most relevant example for your case would be: https://github.com/wolfSSL/wolfssl-exam … 7-verify.c


Warm Regards,

KH

Hi Oytis,

Just disable them and they won't be broadcast for example:


./configure --disable-rsapss --disable-sha512 --disable-sha384

(sha384 is truncated sha512 so should be disabled also).

Cheers,

KH

13

(10 replies, posted in wolfSSL (formerly CyaSSL))

Hi Tammy,

wolfSSL internally has a dependency on HMAC and the option to --enable/--disable hmac was removed years ago. Can you point out where you found NO_HMAC in the documentation so I can update the doc to note that NO_HMAC is no longer supported and should not be used with SSL/TLS?


Warm Regards,

KH

14

(7 replies, posted in wolfSSL (formerly CyaSSL))

Hi Oytis,

Thank you for your request for "A concise PK with HSM callback example". We have noted it in our feature request list and will work on it when we have free engineering cycles. There is no associated timeline with feature requests we work on for free but if you ever decide you want the example work accelerated we do provide custom engineering services, just reach out to support@wolfssl.com and let us know what you need and when you need it by and we can put you in touch with our Business Department to get the details worked out and the feature expedited.

Warm Regards,

KH

Alfred,

My pleasure!

Cheers,

KH

Alfred,

As Jacob noted on the other post:

configure wolfSSL with: "./configure --enable-opensslextra --enable-des3 --enable-arc4". We do not currently support RC2, so encryption done with RC2 can not be decrypted by the API.

By default OpenSSL uses RC2, so you have to explicitly ask it to use des3 for encryption:

Again from Jacobs reply:

Command line to create a pkcs12 certificate to use.
$ openssl pkcs12 -des3 -descert -inkey certs/server-key.pem -in certs/server-cert.pem -CAfile certs/server-cert.pem -out pkcs12.p12 -export

That should get you a start anyway but if not let me know!

Cheers,

KH

Alfred,

I would recommend checking out our PKCS12 test in wolfssl-root/tests/api.c for a reference example (Includes the BIO setup):

https://github.com/wolfSSL/wolfssl/blob … pi.c#L4145


Warm Regards,

KH

Hi Alfred,

You can use:

wolfSSL_CTX_use_PrivateKey_[file | buffer](); // to load the private key
wolfSSL_CTX_use_certificate_[file | buffer](); // to load the certificate
wolfSSL_CTX_check_private_key(); // checks that the private key matches the public key in the cert, returns WOLFSSL_SUCCESS or WOLFSSL_FAILURE
/* Check private against public in certificate for match                         
*                                                                               
* ctx  WOLFSSL_CTX structure to check private key in                            
*                                                                               
* Returns SSL_SUCCESS on good private key and SSL_FAILURE if miss matched. */
int wolfSSL_CTX_check_private_key(const WOLFSSL_CTX* ctx);

If you have any issues let me know and I'll put together a quick example.


Warm Regards,

KH

19

(3 replies, posted in wolfSSL (formerly CyaSSL))

Hi dpkrai93,

-308 is a socket error, it's a pretty standard result when the peer rejects the connection for one reason or another. This can be caused by a missing extension that the peer expects to see or a mismatch of cipher suites, etc.

Can you capture a wireshark trace of the test connection for review?

Warm Regards,

KH

SaravananG,

Please use:

wolfSSL_CTX_EnableOCSPStapling()
wolfSSL_UseOCSPStapling()
wolfSSL_CTX_EnableOCSP()

Warm Regards,

KH

Alfred,

It was my pleasure! Thank you for contacting wolfSSL and we look forward to hearing from you in the future should anything else come up. You can also reach or support team at support@wolfssl.com or through our zendesk portal at https://wolfssl.zendesk.com

Warm Regards,

KH

Hi @Alfred,

Here is a quick test I ran today ( I can't find another example and we don't have an API for it unfortunately):

         char myAltNames[] = {
                                 // SEQUENCE (2 elements)
                                 0x30, 0x14,
                                 // OBJECT IDENTIFIEER: 2.5.29.17 subjectAltName
                                 // (X.509 extension)
                                 0x06, 0x03, 0x55, 0x1D, 0x11,
                                 // OCTET STRING (1 element)
                                 0x04, 0x0D, //NOTE: 0x0D = length 13, this needs updated based on string length
                                 // SEQUENCE (1 element)
                                 0x30, 0x0B,
                                 // String, value: "DNS:localhost"
                                 0x82, 0x09, 0x6C, 0x6F, 0x63, 0x61, 0x6C, 0x68,
                                 0x6F, 0x73, 0x74
                             };                                                   
         XMEMCPY(myCert->altNames, myAltNames, XSTRLEN(myAltNames));              
         myCert->altNamesSz = (int) sizeof(myAltNames);                           
     } 

- KH

@Alfred,

Thanks for the project notes, I'll see if I can find an example today to send you, if not I'll try to put together a brief example.

Cheers,

KH

Hi @SaravananG,

Thank you for reaching out to wolfSSL via the forums. Can you tell us a bit about your project and organization to help us understand your use-case and needs?

Yes wolfSSL implements OCSP stapling on the client side. We provide an example of using it with our examples:

$ cd wolfssl/
$ ./configure --enable-ocspstapling
$ make
$ ./examples/client/client -C -h <domain/IP of server> -p <port number> -A <The CA cert to use> -g -W 1

Where -C forcefully disables CRL if it's enabled in favor of OSCP stapling, -g says to do a HTTP GET request and -W 1 says to use OCSP stapling v1 (use -W 2 for OCSP stapling version 2)

Regards,

KH

Hi Alfred,

Thank you for reaching out to wolfSSL with these questions. Can you tell us a bit about the project you are working on and which team you are with? (We support a few teams from your organization at varying support levels and want to make sure you receive the appropriate support level based on your team affiliation).

The cert structure is defined for end-user applications that include <wolfssl/wolfcrypt/settings.h> (and <wolfssl/options.h> if applicable) and the header <wolfssl/wolfcrypt/asn_public.h>. (See below). Note the comment "For user to fill for cert generation".

258 /* for user to fill for certificate generation */                                
259 typedef struct Cert {                                                            
260     int      version;                   /* x509 version  */                      
261     byte     serial[CTC_SERIAL_SIZE];   /* serial number */                      
262     int      serialSz;                  /* serial size */                        
263     int      sigType;                   /* signature algo type */                
264     CertName issuer;                    /* issuer info */                        
265     int      daysValid;                 /* validity days */                      
266     int      selfSigned;                /* self signed flag */                   
267     CertName subject;                   /* subject info */                       
268     int      isCA;                      /* is this going to be a CA */           
269     /* internal use only */ 
270     int      bodySz;                    /* pre sign total size */                
271     int      keyType;                   /* public key type of subject */         
272 #ifdef WOLFSSL_ALT_NAMES                                                         
273     byte     altNames[CTC_MAX_ALT_SIZE]; /* altNames copy */                     
274     int      altNamesSz;                 /* altNames size in bytes */            
275     byte     beforeDate[CTC_DATE_SIZE];  /* before date copy */                  
276     int      beforeDateSz;               /* size of copy */                      
277     byte     afterDate[CTC_DATE_SIZE];   /* after date copy */                   
278     int      afterDateSz;                /* size of copy */                      
279 #endif                                                                           
280 #ifdef WOLFSSL_CERT_EXT                                                          
281     byte    skid[CTC_MAX_SKID_SIZE];     /* Subject Key Identifier */            
282     int     skidSz;                      /* SKID size in bytes */                
283     byte    akid[CTC_MAX_AKID_SIZE];     /* Authority Key Identifier */          
284     int     akidSz;                      /* AKID size in bytes */                
285     word16  keyUsage;                    /* Key Usage */                         
286     byte    extKeyUsage;                 /* Extended Key Usage */                
287 #ifdef WOLFSSL_EKU_OID                                                           
288     /* Extended Key Usage OIDs */                                                
289     byte    extKeyUsageOID[CTC_MAX_EKU_NB][CTC_MAX_EKU_OID_SZ];                  
290     byte    extKeyUsageOIDSz[CTC_MAX_EKU_NB];                                    
291 #endif                                                                           
292     char    certPolicies[CTC_MAX_CERTPOL_NB][CTC_MAX_CERTPOL_SZ];                
293     word16  certPoliciesNb;              /* Number of Cert Policy */             
294     byte     issRaw[sizeof(CertName)];   /* raw issuer info */                   
295     byte     sbjRaw[sizeof(CertName)];   /* raw subject info */                  
296 #endif                                                                           
297 #ifdef WOLFSSL_CERT_REQ                                                          
298     char     challengePw[CTC_NAME_SIZE];                                         
299 #endif                                                                           
300     void*   decodedCert;    /* internal DecodedCert allocated from heap */       
301     byte*   der;            /* Pointer to buffer of current DecodedCert cache */ 
302     void*   heap;           /* heap hint */                                      
303 } Cert;

You can set the altNames with:

Cert* myCert;
char myAltNames[] = "some string describing your alt name(s)";

...

myCert.altNames = myAltNames;
myCert.alNameSz = XSTRLEN(myAltNames);

Regards,

KH