376 Reply by dgarske

(7 replies, posted in wolfSSL)

Hi Andrey,

Assuming you can get a server certificate with SHA384 digest and signed by a CA with a SHA384 digest and have a real HW RNG source (which you do) then you can disable SHA256. The commit that has this support is here:
https://github.com/wolfSSL/wolfssl/comm … df9e89bab0

With the way the random.c code is structured the wc_GenerateSeed function for STM32F2_RNG will not be available with CUSTOM_RAND_GENERATE_BLOCK defined. So best solution is to copy/paste the wc_GenerateSeed function at line 1414 into your own .c file and then you can do something like what you suggested. The code would look like:

/* Put this in your own .c file */
#undef RNG
#include "stm32f2xx_rng.h"
#include "stm32f2xx_rcc.h"
/*
 * wc_Generate a RNG seed using the hardware random number generator
 * on the STM32F2. Documentation located in STM32F2xx Standard Peripheral
 * Library document (See note in README).
 */
int custom_rand_generate_block(byte* output, word32 sz)
{
    int i;

    /* enable RNG clock source */
    RCC_AHB2PeriphClockCmd(RCC_AHB2Periph_RNG, ENABLE);

    /* enable RNG peripheral */
    RNG_Cmd(ENABLE);

    for (i = 0; i < sz; i++) {
        /* wait until RNG number is ready */
        while(RNG_GetFlagStatus(RNG_FLAG_DRDY)== RESET) { }

        /* get value */
        output[i] = RNG_GetRandomNumber();
    }

    return 0;
}

/* Put this into user_settings.h */
/* Bypass P-RNG and use only HW RNG */
extern int custom_rand_generate_block(unsigned char* output, unsigned int sz);
#undef  CUSTOM_RAND_GENERATE_BLOCK
#define CUSTOM_RAND_GENERATE_BLOCK  custom_rand_generate_block

Thanks,
David Garske, wolfSSL

Go to forum: wolfSSL

377 Reply by dgarske

(5 replies, posted in wolfSSL)

1. It depends on your architecture and where it puts the stack region, but technically if a stack value is used and isn't cleared then it has the potential to be available later. That is why we use ForceZero on any private data after we are done with it.

2. Only the private (sensitive) information is cleared with ForceZero and that is always enabled. We don not have an option to clear all stack variables, but you could change the mp_clear to do a ForceZero and it would clear the dp section of the big integers. Also there is a GCC compiler option in the works for clearing stack. https://gcc.gnu.org/bugzilla/show_bug.cgi?id=69976

3. It depends on the math implementation used. We have a "normal" math and "fast" math (USE_FAST_MATH). The fast math uses stack and the normal math uses heap. So only the normal math uses dynamic mem (heap) for the big integer data.

Let me know if you have any other questions,
David Garske, wolfSSL

Go to forum: wolfSSL

378 Reply by dgarske

(5 replies, posted in wolfSSL)

You are welcome. Internally we are careful to free any private information using the ForceZero() function. If you find places that you think memory should be cleared please let me know. The ForceZero() function ensures that the compiler doesn't optimize out a memset on a stack variable at the end of a function.

Go to forum: wolfSSL

379 Reply by dgarske

(5 replies, posted in wolfSSL)

Hi, it sounds like you are looking for a way to clear allocated buffer with zero's on the free? If you are overriding the allocators for wolfSSL then you could do something like this:

void* my_Malloc(size_t size)
{
    void* ptr;
    ptr = malloc(size + sizeof(size_t));
    if (ptr) {
        *(size_t*)ptr = size;
        ptr += sizeof(size_t);

        memset(ptr, 0, size);
    }
    return ptr;

}
void my_Free(void *ptr)
{
    if (ptr) {
        size_t size = 0;
        ptr -= sizeof(size_t);
        size = *(size_t*)ptr;
        memset(ptr, 0, size);
        free(ptr);
    }
}

wolfSSL_SetAllocators(my_Malloc, my_Free, NULL);

This allocates some extra space at the front and stores the length in it. Let me know if that makes sense or not.

Thanks,
David Garske, wolfSSL

Go to forum: wolfSSL

380 Reply by dgarske

(2 replies, posted in wolfCrypt)

Hi Majkel,

You are correct that you only need the public key x and y plus the signature r and s to verify an ECC signature. Are these all in hex string format like "0102030405060708090A" or unsigned bin? How were these values generated? Typically the R and S values are encoded with a DSA DER header. The public key is typically encoded into a x963 format, which is a small header and raw x then y values.

The functions you'll want to use are wc_ecc_rs_to_sig() and wc_ecc_import_x963().

If you don't have encoded X,Y and R,S values then you can use mp_read_unsigned_bin to import the raw binary into public key such as:

ecc_key key;
wc_ecc_init(&key);
mp_init_multi(key->pubkey.x, key->pubkey.y, key->pubkey.z, &key->k, NULL, NULL);
mp_read_unsigned_bin(key->pubkey.x, x_buf, x_len);
mp_read_unsigned_bin(key->pubkey.y, y_buf, y_len);
mp_set(key->pubkey.z, 1);

// Then you'll have an ecc_key with public key

int status;
wc_ecc_verify_hash(sig, sigSz, hash, hashSz, &status, &key);


You can also use the "wc_SignatureVerify()" wrapper function. Examples for this are here:
https://github.com/dgarske/wolfssl-exam … /signature

Thanks and looking forward to your reply.
David Garske, wolfSSL

Go to forum: wolfCrypt

381 Reply by dgarske

(4 replies, posted in wolfSSL)

Hi Cxdinter,

Correct, those are the porting options. Its difficult for me to guess, which is better for you and the Poco library without a more detailed review.

For the first option you may have to implement some additional openssl compatibility API's. They have over 4000 API's and we only cover the most common ones. If you do add some and would like to contribute changes back to us that would be wonderful. We only require a signed contributor agreement, which I can send you.

We have more examples in this repo:
https://github.com/wolfSSL/wolfssl-examples

Some clean TLS examples are in this folder:
https://github.com/wolfSSL/wolfssl-exam … master/tls

Thanks,
David Garske, wolfSSL

Go to forum: wolfSSL

382 Reply by dgarske

(7 replies, posted in wolfSSL)

Hi Andrey,

To clarify you would only need to do CUSTOM_RAND_GENERATE_BLOCK if you wanted to disable SHA256. Our P-RNG (pseudo random number generator) uses SHA256.

I recommend leaving SHA256 enabled and leaving your RNG settings as they are with STM32F2_RNG and wc_GenerateSeed seeding the P-RNG. You will find that most certificates use SHA256 for the digest and so you'll likely need it anyways even with a SHA384 TLS cipher suite.

Let me know if you need further clarification.

Thanks,
David Garske, wolfSSL

Go to forum: wolfSSL

383 Reply by dgarske

(4 replies, posted in wolfSSL)

Hi Cxdinter,

We are continually working to add new openssl compatibility API's. You'll find the ones you are missing in the pull request #618, which should make it into master shortly.

https://github.com/wolfSSL/wolfssl/pull/618

SSL_CTX_ctrl:
https://github.com/wolfSSL/wolfssl/pull … 2c5b9R5625

SSL_ctrl:
https://github.com/wolfSSL/wolfssl/pull … 2c5b9R5614

We also just added a bunch on Nov 10th in PR #617 into master:
https://github.com/wolfSSL/wolfssl/pull/617
Commit: https://github.com/wolfSSL/wolfssl/comm … 4537f5279f

Hopefully that will help with the Poco port you are working on. Let us know if there is anything else.
Your feedback has been very excellent, so thank you!

David Garske, wolfSSL

Go to forum: wolfSSL

384 Reply by dgarske

(1 replies, posted in wolfSSL)

Hi Will,

The EmbedReceiveFrom and EmbedGenerateCookie functions are for DTLS (with WOLFSSL_DTLS defined). The "struct sockaddr_storage" is a POSIX compliant data type for UDP.

If you are using DTLS and called wolfSSL_CTX_new with a wolfDTLSv1_2_client_method or wolfDTLSv1_client_method then you'll want to implement your own IO callbacks for the read/writes.

To do this define WOLFSSL_USER_IO and set the callbacks using wolfSSL_SetIORecv, wolfSSL_SetIOSend and wolfSSL_set_fd. A good example for this is here:
https://github.com/wolfSSL/wolfssl-exam … ack.c#L182

Let me know if you have any other questions or issues.

Thanks,
David Garske, wolfSSL

Go to forum: wolfSSL

385 Reply by dgarske

(6 replies, posted in wolfCrypt)

Hi Cxdinter,

The underlying math used for our Ed/Curve implementation is not the same and is highly optimized for that curve. That is the reason Ed/Curve 25519 is not in the ecc_sets table. However I think it would be good to have it in there optionally for those who want to keep the code size down. I'm adding it to our feature list. Thanks for the idea and your reports. Let me know if there is anything else.

Thanks,
David Garske, wolfSSL

Go to forum: wolfCrypt

386 Reply by dgarske

(6 replies, posted in wolfCrypt)

Hi Cxdinter,

Good find. It looks like the wc_EccPrivateKeyDecode doesn't support importing a custom key and passing the OID to the "wc_ecc_import_private_key" function. I did the implementation for the custom curve ECC support, but missed this import path. I've pushed changes to support this to pull-request 631.
https://github.com/wolfSSL/wolfssl/pull/631

I tested it using the following:

ecc_key key;
byte der[4096];
byte buf[4096];
word32 idx = 0;
FILE* derFile;
size_t sz;

RNG rng;

wc_InitRng(&rng);
wc_ecc_init(&key);

if (wc_ecc_make_key_ex(&rng, 32, &key, ECC_BRAINPOOLP256R1) != 0) {
    printf("error making ecc key\n");
    return -1;
}

/* write private key */
if (wc_EccKeyToDer(&key, der, sizeof(der)) < 0) {
    printf("error in ecc to der\n");
    return -1;
}
printf("writing private key to ecc-key.der\n");
derFile = fopen("ecc-key.der", "w");
if (!derFile) {
    printf("error loading file\n");
    return -1;
}

sz = fwrite(der, 1, 4096, derFile);
fclose(derFile);
wc_ecc_free(&key);


/* open and read from der file */
printf("reading in private key\n");
derFile = fopen("ecc-key.der", "rb");
if (!derFile) {
    printf("error reading from file\n");
    return -1;
}

sz = fread(buf, 1, 4096, derFile);
fclose(derFile);

/* load private ecc key */
printf("storing private key in ecc struct\n");
wc_ecc_init(&key);
if (wc_EccPrivateKeyDecode(buf, &idx, &key, (word32)sz) != 0) {
    printf("error decoding private key\n");
    return -1;
}
wc_ecc_free(&key);

wc_FreeRng(&rng);

Please give it a try and let me know how it goes.

Thanks,
David Garske, wolfSSL

Go to forum: wolfCrypt

387 Reply by dgarske

(4 replies, posted in wolfCrypt)

Hi Cxdinter,

I performed tests for both wc_SignatureGenerate and wc_SignatureVerify against openssl and all passed using WC_SIGNATURE_TYPE_RSA_W_ENC with WC_HASH_TYPE_SHA256.

When using the WC_SIGNATURE_TYPE_RSA_W_ENC  with wc_SignatureVerify it takes in original data being validated, hashes it, adds the DER encoding (which includes the hash OID) and compares the provided signature. This behavior is correct.


These tests were done using the code here:
https://github.com/wolfSSL/wolfssl-examples/pull/27

This was run from inside the wolfssl-examples/signature directory.

Generate a signature and compare hex output (wolfSSL vs. openssl):
./signature README.md 3 5
openssl dgst -sha256 -sign ../certs/client-key.der -keyform der -hex README.md
Result of both RSA Sign with SHA256 hex output = Matches

Sign and verify using openssl. Save sign as sign.txt.
openssl dgst -sha256 -sign ../certs/client-key.der -keyform der -out sign.txt README.md
openssl dgst -sha256 -verify ../certs/client-keyPub.der -keyform der -signature sign.txt README.md
Verified OK

Use sign.txt to verify signature using wolfSSL.
./signature README.md 3 5 sign.txt
RSA Signature Verification: Pass (0)

If you are still having the issue can you provide some examples for your openssl commands and your specific wc_SignatureVerify arguments?

Thanks,
David Garske, wolfSSL

Go to forum: wolfCrypt

388 Reply by dgarske

(6 replies, posted in wolfCrypt)

Hi Cxdinter,

If you define HAVE_ECC_BRAINPOOL then it will enable the Brainpool curves, however you must create the ECC key using wc_ecc_make_key_ex to tell the ECC layer you want to use that curve type:

ecc_key key;
ret = wc_ecc_init(&key);
ret = wc_ecc_make_key_ex(rng, 32, &key, ECC_BRAINPOOLP256R1);

Then you can call wc_SignatureGenerate.

The best way to add defines if not using ./configure is to globally define WOLFSSL_USER_SETTINGS (like in your CFLAGS) and add a new user_settings.h file somewhere in your include path.

There is a good user_settings.h example here:
https://github.com/wolfSSL/wolfssl/blob … settings.h

Also, if you haven't seen it there is a great signature/verify example here:
https://github.com/wolfSSL/wolfssl-exam … /signature
Although its missing the custom ECC curve example above, so I'm going to add that soon.

Thanks,
David Garske, wolfSSL

Go to forum: wolfCrypt

389 Reply by dgarske

(4 replies, posted in wolfCrypt)

Hi Cxdinter,

Openssl adds a DER encoding on their RSA signature by default. Try using sig_type= "WC_SIGNATURE_TYPE_RSA_W_ENC".

Let me know if that helps.

Thanks,
David Garske, wolfSSL

Go to forum: wolfCrypt

390 Reply by dgarske

(2 replies, posted in wolfCrypt)

Hi cxdinter,

Thank you so much for the report.

It looks like that scenario could happen if your call to wc_RNG_GenerateBlock did not return 0 (in wc_ecc_make_key_ex at line 2507). In that case variable "a" would be un-initialized from the stack and the call to "mp_clear" could cause a seg fault due to invalid pointer.

Will you confirm your wc_RNG_GenerateBlock return code? It should be zero indicating success.

I've pushed a fix for that here:
https://github.com/wolfSSL/wolfssl/pull/626

Let me know if that helps.

Thanks,
David Garske, wolfSSL

Go to forum: wolfCrypt

391 Reply by dgarske

(7 replies, posted in wolfSSL)

Hi Andrey,

To enable SHA384 you must also defined "WOLFSSL_SHA512". The code for SHA384 is dependent on SHA512.

To disable SHA256 you will also have to disable the P-RNG is wolfSSL, since it requires SHA256. You are welcome to do this if you have a good hardware RNG source.

Here is an example for disabling the P-RNG:
https://github.com/wolfSSL/wolfssl/blob … ngs.h#L265
https://github.com/wolfSSL/wolfssl/blob … rget.c#L40

Additionally you will need to of course define NO_SHA256:
#define NO_SHA256

In my testing for this I located an issue in our code which assumes SHA256 is present in SendCertificateVerify. A fix for that is located here:
https://github.com/wolfSSL/wolfssl/pull/625

Thanks and please let me know if you have anymore questions.
David Garske, wolfSSL

Go to forum: wolfSSL

392 Reply by dgarske

(5 replies, posted in wolfCrypt)

Hi Jesussotofan,

All calls to wc_GenerateSeed are in wolfcrypt/src/random.c. There are multiple places where this function exists depending on the hardware platform. Those start at line 1133.

If you are defining CUSTOM_RAND_GENERATE_SEED then it will use the function used in that define. I'd also make sure you don't have NO_DEV_RANDOM defined.

The function wc_InitRng calls wc_GenerateSeed. Make sure the wolfcrypt/src/random.c is being included with the build. Make sure you have a wc_GenerateSeed function in your random.c or use the CUSTOM_RAND_GENERATE_SEED define to remap it to your own function.

Have you seen our Arduino example for wolfSSL?
https://github.com/wolfSSL/wolfssl/tree … DE/ARDUINO

Thanks,
David Garske, wolfSSL

Go to forum: wolfCrypt

393 Reply by dgarske

(5 replies, posted in wolfCrypt)

Hi Jesussotofan,

I did a search for Arduino RNG and came up with this good result:
https://www.arduino.cc/en/Reference/Random

To implement option #2 you need to add the following to your settings.h or user_settins.h (if WOLFSSL_USER_SETTINGS is defined).

int rand_gen_seed(byte* output, word32 sz);
#define CUSTOM_RAND_GENERATE_SEED  rand_gen_seed

Then the function can be put into any .c file in your project (wherever it makes sense to you).

The function would look like:

int rand_gen_seed(byte* output, word32 sz)
{
    int i;
    for (i = 0; i < sz; i++ ) {
        output[i] = analogRead(0);
    }

    return 0;
}

Its important to have a good random seed, so if your micro controller has an RNG peripheral you should find example code for it and use it. The above example uses analog source 0 noise to seed the P-RNG, which is from the reference to website provided above.

Our random.c file has many references to RNG hardware implementations, so check and see if your micro-controller is already listed in there. If so you can define the value needed to enable it.

Let me know if you have any other questions.

Thanks,
David Garske, wolfSSL

Go to forum: wolfCrypt

394 Reply by dgarske

(5 replies, posted in wolfCrypt)

Hi Jesussotofan,

Your platform must not have a random number seed function defined in random.c (starting at line 1133).

Either you can:
1. Locate a reference implementation in random.c and make sure you have the right define set for your hardware platform / OS.

2. Define CUSTOM_RAND_GENERATE_SEED and use your own implementation:

int rand_gen_seed(byte* output, word32 sz);
#define CUSTOM_RAND_GENERATE_SEED  rand_gen_seed

In your example above, I also recommend:
including:
#include <wolfssl/wolfcrypt/random.h>

Using WC_RNG for the rng global:
WC_RNG rng;

Let me know if you have anymore questions,

Thanks,
David Garske, wolfSSL

Go to forum: wolfCrypt

395 Reply by dgarske

(2 replies, posted in wolfSSL)

Hi Eshober,

We do have a Microchip MLA example with SMTP support. Please send an email to support@wolfssl.com and we can send you a link for it.

Thanks,
David Garske, wolfSSL

Go to forum: wolfSSL

396 Reply by dgarske

(1 replies, posted in wolfCrypt)

Hi Hagai,

That's great you are using wolfMQTT and wolfSSL with Amazon AWS! It would be excellent to get more info on your project by emailing us at info@wolfssl.com when you get a chance.

I've seen an issue like this before and it was due to timezone differences between local time and the time in the cert. The ValidateDate function tries to offset the local time by looking for +/- at the end of the cert begin/end dates.

If you are using the FREESCALE_MQX or FREESCALE_KSDK_MQX defines the asn.c XTIME gets mapped to mqx_time which ends up calling "_time_get". The mqx_time function should be getting the number of seconds since UTC.

You might consider implementing your own XTIME function and by defining "USER_TIME" and adding a new function in your code called XTIME: time_t XTIME(time_t * timer);. Then you can offset the XTIME your timezone diff.

Thanks, David Garske, wolfSSL

Go to forum: wolfCrypt

397 Reply by dgarske

(9 replies, posted in wolfCrypt)

Hey Avenuti,

A fix for this issue has been pushed to GitHub PR#535:
https://github.com/wolfSSL/wolfssl/pull/535

Thanks, David Garske, wolfSSL

Go to forum: wolfCrypt

398 Reply by dgarske

(9 replies, posted in wolfCrypt)

Hey Avenuti,

I am able to reproduce the error with normal math and ECC-521 on that board. I was then also able to reproduce on my Mac with 32-bit mode (-m32) and NO_64BIT defined. Happens with or without ECC_TIMING_RESISTANT.

This failure only happens on 32-bit systems with normal math. Until then please use fast math with ECC-521.

For reference the error is:
"ecc_test_curve_size 66 failed!: -1023
ECC      test failed!
error = -1023"

The error is happening inside the "ecc_check_pubkey_order" function, which returns -215 (ECC_INF_E).

We are investigating the cause and will let you know when we have a resolution. Thanks again for the report!

Thanks, David Garske, wolfSSL

Go to forum: wolfCrypt

399 Reply by dgarske

(9 replies, posted in wolfCrypt)

Hey Avenuti,

Sorry about the confusion. I thought you meant it wasn't working with USE_FAST_MATH.

The most common reason for a failure with normal math is that it uses heap allocations for the big integers. If you want to get normal math working I'd recommend increasing your heap size and trying again.

With USE_FAST_MATH disabled none of the options listed above are used except "ECC_TIMING_RESISTANT". That's because TFM_ and FP_MAX_BITS_ECC are only used with fast math.

The fast math uses stack for its allocations while normal math uses heap. The fast math tends to be faster because there is no heap allocation/free overhead.

The "ALT_ECC_SIZE" will save memory if using RSA and ECC because it will use heap allocations of a reduced size for ECC points, but only works when used with USE_FAST_MATH.

I'll run some tests this week and see if I can locate any issues using normal math and ECC-521. I have an LPC1837 board here to test with and see if I can reproduce.

Thanks, David Garske, wolfSSL

Go to forum: wolfCrypt

400 Reply by dgarske

(9 replies, posted in wolfCrypt)

Hey Avenuti,

I'll take a look at the TFM_ECC521 define. I personally testing that combination on a Cortex M4 without any issue, but its possible there is an problem with the FP_MAX_BITS_ECC calc on a 32-bit micro with TFM_ECC521. I'll let you know the results of my testing early tomorrow.

In the mean-time did you try it without "FP_MAX_BITS_ECC" defined? You could also try setting "FP_MAX_BITS_ECC" to a larger value like 1200 and see if that helps.

Thanks, David Garske, wolfSSL

Go to forum: wolfCrypt