You are not logged in. Please login or register.
Please post questions or comments you have about wolfSSL products here. It is helpful to be as descriptive as possible when asking your questions.
ReferenceswolfSSL - Embedded SSL Library → Posts by dgarske
Hi Scott,
See here for a list of SP math build options:
https://github.com/wolfSSL/wolfssl/blob … _int.c#L42
For the assembly an you try using `WOLFSSL_SP_ARM32_ASM`
Try disabling DH (NO_DH) and only use RSA and ECC. For SP related build options try just these:
#define WOLFSSL_SP_MATH
#define WOLFSSL_HAVE_SP_RSA
#define WOLFSSL_HAVE_SP_ECC
#define WOLFSSL_SP_4096
#define WOLFSSL_SP_ARM32_ASM
#define NO_DH
#define HAVE_ECCThanks,
David Garske, wolfSSL
Hi Scott,
Make sure you set `WOLFSSL_SP_4096` to enable 4096-bit support for SP math. Also set `WOLFSSL_HAVE_SP_RSA` and `WOLFSSL_HAVE_SP_DH` to speedup RSA/DH with SP math.
For this A8 you can also enable SP assembly speedups for RSA/DH and ECC using `WOLFSSL_SP_ARM_THUMB_ASM`. If the code size grows too large you can use `WOLFSSL_SP_SMALL`. You might also consider disabling DH and use just ECDHE for the key share using `NO_DH`.
Thanks,
David Garske, wolfSSL
Hi miennaco,
The AES GCM IV is normally 12-bytes, but it supports any length. An IV size not equal to 12-byte will first be GHASH'd then used.
See the code here:
https://github.com/wolfSSL/wolfssl/blob … es.c#L7180
Thanks,
David Garske, wolfSSL
Hi Scotty2541,
Sorry about the documentation issue on `wolfSSL_CTX_load_verify_buffer_ex`. I added that API a few releases back for supporting loading of trusted certificates with some additional options to allow date override and forceful load.
The API definition is:
int wolfSSL_CTX_load_verify_buffer_ex(WOLFSSL_CTX* ctx,
const unsigned char* in,
long sz, int format, int userChain,
word32 flags)Additional two arguments:
* userChain: If using format WOLFSSL_FILETYPE_ASN1 this set to non-zero indicates a chain of DER's is being presented.
* flags: See ssl.h around WOLFSSL_LOAD_VERIFY_DEFAULT_FLAGS.
#define WOLFSSL_LOAD_FLAG_NONE 0x00000000
#define WOLFSSL_LOAD_FLAG_IGNORE_ERR 0x00000001
#define WOLFSSL_LOAD_FLAG_DATE_ERR_OKAY 0x00000002
#define WOLFSSL_LOAD_FLAG_PEM_CA_ONLY 0x00000004
#ifndef WOLFSSL_LOAD_VERIFY_DEFAULT_FLAGS
#define WOLFSSL_LOAD_VERIFY_DEFAULT_FLAGS WOLFSSL_LOAD_FLAG_NONE
#endifI've made note to add this to our doxygen in doc/dox_comments/header_files/ssl.h.
Thanks,
David Garske, wolfSSL
Hi Hadrien,
For primary keys you get back a handle. There is no encrypted private data returned. That handle will remain loaded until TPM2_FlushContext is called.
For normal key creation using `TPM2_Create` you get back a `TPM2B_PRIVATE outPrivate` which is the encrypted blob that you can store and load anytime using TPM2_Load.
For the key blob storage see this example:
https://github.com/wolfSSL/wolfTPM/blob … gen.c#L273
I've put up a PR with some additions and fixes in WindowsTBS.md here.
https://github.com/wolfSSL/wolfTPM/pull/163
Thanks,
David Garske, wolfSSL
Hi cxenof03,
The encryption algorithm is initialized with the call to keys.c:SetKeysSide(). Actually the internal function SetKeys() is making the calls to wc_AesInit() and wc_AesGcmSetKey().
WritePSKBinders sets the keys for early data on the client. DoPreSharedKeys sets the keys on the server.
* The PSK establishes a master secret. See SetupPskKey() and DoPreSharedKeys().
* DeriveEarlySecret() derives the secret for creating the keys. See "Early Secret" in diagram in TLS 1.3 spec, page 93.
* DeriveTls13Keys() calls DeriveEarlySecret() and then derives the key that is placed in the 'Key data' that is used in SetKeysSide. See "client_early_secret_traffic_secret" in TLS 1.3 spec, page 93.
* SetKeysSide takes the 'Key data' and extracts out the key to use.
Thanks,
David Garske, wolfSSL
Hi Hadrian,
Thank you for your interest in using wolfTPM! I am happy it has inspired you!
For Windows using their TBS interface the NV access is not permitted. I believe this is either because the TPM is started under a locality that does not allow it or the TBS blocks it. The NV storage on TPM's is very limited, which might be the reason.
The TPM is designed to return an encrypted blob on key creation that you can safely store on the disk and when needed load. The key used to encrypt the blob is only known by the TPM. When you load a key you get a transient handle to it, which can be used for signing and even encryption/decryption.
I believe this is documented in the WindowsTBS.md file here:
https://github.com/wolfSSL/wolfTPM/blob … ndowTBS.md
Thanks,
David Garske, wolfSSL
Hi Hadrien,
Have you seen our recent PR adding attestation support?
https://github.com/wolfSSL/wolfTPM/pull/161
We are also working on another example that uses TLS v1.3 between peers that should be posted in a few weeks.
If you are not familiar with it the tpm.dev website has some great discussions on this topic.
Thanks,
David Garske, wolfSSL
Hi m.gadroy,
This was fixed back in Sept 2020 in this PR:
https://github.com/wolfSSL/wolfssl/pull/3280
You can find it in v4.6.0 or later.
Thanks,
David Garske, wolfSSL
Hi keeperp,
Thank you for the report. I believe the `WOLF_CONF_MATH == 4` option will work if you comment out `WOLFSSL_SP_MATH` in the generated `wolfSSL.I-CUBE-wolfSSL_conf.h`. The `WOLFSSL_SP_MATH` define reduces code size and disables some areas of the code.
For example if building this on Linux "./configure --enable-srp --enable-sp --enable-sp-math && make" it will report "configure: error: Cannot use single precision math and SRP".
If I build without `--enable-sp-math` or `WOLFSSL_SP_MATH` it works fine.
Thanks,
David Garske, wolfSSL
Hi cxenof03,
As we've discussed offline you might consider using the TLS v1.3 early data feature to send the public key. Otherwise you would need to make some very specific changes inside the wolfSSL code to inject an additional extension.
Thanks,
David Garske, wolfSSL
Hi cxenof03,
1) Good point. I put up a PR with API's for getting the static ephemeral here:
https://github.com/wolfSSL/wolfssl/pull/3942
2) Those are pointers to DerBuffer (ASN.1) with members `buffer` and `length`. The above PR should solve this for you.
3) Yes the KeyShare public keys will map to the static ephemeral keys.
Thanks,
David Garske, wolfSSL
Hi Tammy,
Are you using the Cube MX HAL? If so what version? The Cube HAL handles enabling the clock automatically with the generated code.
If you still need to manually control the peripheral clock for power consumption reasons you can do it with the following:
The __HAL_RCC_AES_CLK_ENABLE() API comes from stm32l4xx_hal_rcc.h which gets included via stm32l4xx_hal_conf.h if the HAL has been generated with HAL_CRYP_MODULE_ENABLED set.
Which L4 part are you using and what wolfSSL build options have you defined in the user_settings.h or wolfSSL.wolfSSL_conf.h?
Thanks,
David Garske, wolfSSL
Hi Abhishek,
That is good news regarding the Cube pack.
We fully support both bare-metal and LWIP. For LWIP we support either the Posix or RAW interface. With the LWIP Posix interface requires threading (I believe). We do have an LWIP raw example in an old PR here:
https://github.com/wolfSSL/wolfssl/pull/599
Another option is to define `WOLFSSL_USER_IO` and set read / write callbacks using the following API's:
/* I/O callbacks */
typedef int (*CallbackIORecv)(WOLFSSL *ssl, char *buf, int sz, void *ctx);
typedef int (*CallbackIOSend)(WOLFSSL *ssl, char *buf, int sz, void *ctx);
WOLFSSL_API void wolfSSL_CTX_SetIORecv(WOLFSSL_CTX*, CallbackIORecv);
WOLFSSL_API void wolfSSL_CTX_SetIOSend(WOLFSSL_CTX*, CallbackIOSend);
WOLFSSL_API void wolfSSL_SSLSetIORecv(WOLFSSL*, CallbackIORecv);
WOLFSSL_API void wolfSSL_SSLSetIOSend(WOLFSSL*, CallbackIOSend);We have some examples for this here:
https://github.com/wolfSSL/wolfssl-exam … callback.c
Thanks,
David Garske, wolfSSL
Hi mahdyseifelnasr,
We fully support the CortexM0 with some impressive assembly speedups for ECC, RSA and DH.
There is a good Makefile template for GCC ARM here:
https://github.com/wolfSSL/wolfssl/tree … DE/GCC-ARM
If you would prefer to cross-compile using ./configure here is an example:
./configure --host=arm-none-eabi CC=gcc AR=ar --disable-shared --enable-cryptonly --disable-examples --disable-crypttests --prefix=[yourpath]
If you have the option to use the STM32Cube wolfSSL pack it allows you to generate code on many STM32 targets and IDE's.
Thanks,
David Garske, wolfSSL
Hi All,
I have posted an example for using our TLS v1.3 secret logging here:
https://github.com/wolfSSL/wolfssl-examples/pull/251
Thanks,
David Garske, wolfSSL
Hi cxenof03,
That is correct. For TLS v1.3 you can use HAVE_SECRET_CALLBACK and wolfSSL_set_tls13_secret_cb to setup a callback for printing the secrets for use with Wireshark.
The WOLFSSL_STATIC_EPHEMERAL feature does allow you to use a fixed ephemeral key for testing, which can be loaded into Wireshark. The WOLFSSL_STATIC_EPHEMERAL is meant to be used with the WOLFSSL sniffer (--enable-sniffer) and sslSniffer/sslSnifferTest, which allows decryption of the TLS traffic.
If you'd like some additional documentation on this please email us directly using support@wolfssl.com.
Thanks,
David Garske, wolfSSL
Hi Iyaps,
For TLS v1.3 it is on by default, but you can explicitly set `--enable-tls13` to turn it on.
TLS v1.3 requires the following additional build options (if not using ./configure):
#define WOLFSSL_TLS13
#define HAVE_FFDHE_2048
#define HAVE_HKDF
#define WC_RSA_PSSThanks,
David Garske, wolfSSL
Hi Iyaps,
You can do either ./configure with cross compile or a Vitis IDE project.
We have a full example project here:
https://github.com/dgarske/UltraZed-EG-wolf
For cross-compiling here is an example I used for QNX on the ZCU102:
./configure --host=aarch64 \
CC="aarch64-unknown-nto-qnx7.0.0-gcc" \
AR="aarch64-unknown-nto-qnx7.0.0-ar" \
RANLIB="aarch64-unknown-nto-qnx7.0.0-ranlib" \
--prefix=$WOLFSSL_BUILD_DIR \
--disable-shared --disable-examples --disable-crypttests \
CFLAGS="-DWOLFSSL_HAVE_MIN -DWOLFSSL_HAVE_MAX \
-DFP_MAX_BITS=8192" --enable-fastmath \
--enable-armasm --enable-sp --enable-sp-asmWith some minor adjustments to the compile CC you could build with a generic GCC like "aarch64-none-elf-". You might also need to add CFLAGS= "-march=armv8-a"
Thanks,
David Garske, woilfSSL
Hi Iyyappan,
Can you provide me your build settings? Are you using custom IO callbacks for the LWIP layer or the LWIP socket layer and wolfio.c default implementation? Its possible the callback is not returning the right values.
Since you are using multi-threading I assume you have `FREERTOS` defined for mutex protection. Even so you may not use the same WOLFSSL object from more than one thread. There is a feature you can use to duplicate the WOLFSSL object so you have one for reading and another for writing. If interested that is `HAVE_WRITE_DUP` and `wolfSSL_write_dup`.
Thanks,
David Garske, wolfSSL
Hi Iyaps,
Have you called wolfSSL_Init() or wolfCrypt_Init() in your application code?
In your Xilinx BSP / Hardware Platform have you enable the xilsecure library?
Have you seen our Xilinx FreeRTOS/LWIP example here:
https://github.com/wolfSSL/wolfssl-examples/pull/155
https://github.com/JacobBarthelmeh/wolf … x/FreeRTOS
We also have some Xilinx tips here:
https://github.com/wolfSSL/wolfssl/tree … /XilinxSDK
Thanks,
David Garske, wolfSSL
Hi Iyyappan,
Can you share a snippet of your code calling wolfSSL_read()? Also can you call `err = wolfSSL_get_error(ssl, 0);` and see if any other error code is returned? Also can you enable logging using DEBUG_WOLFSSL and calling wolfSSL_Debugging_ON()?
I suspect either an issue with heap memory exhausted or the supplied argument to wolfSSL_read invalid.
Thanks,
David Garske, wolfSSL
Hi Abhishek,
I can reproduce and have an updated pack posted here:
https://drive.google.com/file/d/1WWGrJb … sp=sharing
You can manually exclude the folder, but as a solution I've removed it from the pack.
It will be on the website shortly at the linked location:
https://www.wolfssl.com/files/ide/I-CUBE-wolfSSL.pack
Thanks for the report.
David Garske, wolfSSL
Hi Abhishek,
No, the directory in wolfssl/linuxkm must be excluded. Those files are only for building with the Linux Kernel Module.
Right-click this folder in Project Explorer tree and go to "Properties". Under Resource there is an option to exclude the directory. I am running some tests with the wolfSSL Cube pack v4.7.0 again to make sure my fix for this exclusion is working.
Thanks,
David Garske, wolfSSL
Hi Remy,
Is it possible you need to call `int wc_ecc_make_pub_ex(ecc_key* key, ecc_point* pubOut, WC_RNG* rng)` first to generate the public key material?
I've also asked our PKCS11 expert Sean P to review this post.
Thanks,
David Garske, wolfSSL
wolfSSL - Embedded SSL Library → Posts by dgarske
Powered by PunBB, supported by Informer Technologies, Inc.
Generated in 0.021 seconds (76% PHP - 24% DB) with 4 queries