1 Reply by ajaygargnsit

(2 replies, posted in wolfSSL)

Using the config.sub from http://git.savannah.gnu.org/gitweb/?p=c … ub;hb=HEAD solved the issue.

Go to forum: wolfSSL

2 Reply by ajaygargnsit

(2 replies, posted in wolfSSL)

Just for the record, ruby is already installed.

ajay@latitude-3480:~/wolfssl$ ruby -v
ruby 2.6.1p33 (2019-01-30 revision 66950) [x86_64-linux]

Earnestly looking for pointers.


Thanks and Regards,
Ajay

Go to forum: wolfSSL

3 Topic by ajaygargnsit

(2 replies, posted in wolfSSL)

Hi All.

Following is my machine information :

ajay@latitude-3480:~$ uname -a
Linux latitude-3480 4.13.0-38-generic #43~16.04.1-Ubuntu SMP Wed Mar 14 17:48:43 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

I cloned the repository, checked out v4.0.0-stable, and then did the following :

ajay@latitude-3480:~/wolfssl$ ./autogen.sh 
autoreconf: Entering directory `.'
autoreconf: configure.ac: not using Gettext
autoreconf: running: aclocal --force -I m4
autoreconf: configure.ac: tracing
autoreconf: running: libtoolize --copy --force
libtoolize: putting auxiliary files in AC_CONFIG_AUX_DIR, 'build-aux'.
libtoolize: copying file 'build-aux/ltmain.sh'
libtoolize: putting macros in AC_CONFIG_MACRO_DIRS, 'm4'.
libtoolize: copying file 'm4/libtool.m4'
libtoolize: copying file 'm4/ltoptions.m4'
libtoolize: copying file 'm4/ltsugar.m4'
libtoolize: copying file 'm4/ltversion.m4'
libtoolize: copying file 'm4/lt~obsolete.m4'
autoreconf: running: /usr/bin/autoconf --force
autoreconf: running: /usr/bin/autoheader --force
autoreconf: running: automake --add-missing --copy --force-missing
configure.ac:21: installing 'build-aux/compile'
configure.ac:26: installing 'build-aux/missing'
Makefile.am: installing 'build-aux/depcomp'
autoreconf: Leaving directory `.'
ajay@latitude-3480:~/wolfssl$
ajay@latitude-3480:~/wolfssl$
ajay@latitude-3480:~/wolfssl$
ajay@latitude-3480:~/wolfssl$ ./configure 
checking for gcc... gcc
checking whether the C compiler works... yes
checking for C compiler default output file name... a.out
checking for suffix of executables... 
checking whether we are cross compiling... no
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ISO C89... none needed
checking whether gcc understands -c and -o together... yes
configure: error: cannot run /bin/bash build-aux/config.sub

If I manually try running build/aux/config.sub, following is seen :

ajay@latitude-3480:~/wolfssl$ /bin/bash build-aux/config.sub
build-aux/config.sub: line 95: syntax error near unexpected token `)'
build-aux/config.sub: line 95: `    *local*)'

What am I missing?

I have already googled, but haven't been able to solve the issue I have been hung now for 2 days.
So, will be grateful for pointers.


Thanks and Regards,
Ajay

Go to forum: wolfSSL

4 Reply by ajaygargnsit

(2 replies, posted in wolfSSL)

Thanks Kaleb for the reply.

Actually, my purpose was/is to remove any OS-specific dependencies, and make the code as bare-metalized as possible.


a)
I figured out that the _open was being called from the default implementation of

int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)

in random.c , that opened a file-descriptor to /dev/random.

Now, since the default-implementation is only for linux-like systems, so I moved this to our device-specific section in our framework. In wolfSSL's world, this would mean using CUSTOM_RAND_GENERATE_SEED.


b)
For _gettimeofday, I used the bare-metal implementation

int _gettimeofday( struct timeval *tv, void *tzvp )
{
    uint64_t t = getCurrentTick();
    tv->tv_sec = t;
    tv->tv_usec = 0;
    
    return 0;
}

where struct timeval is primitive, and getCurrentTick again resides in the device-specific section.


Please mark this thread as solved.



Thanks and Regards,
Ajay

Go to forum: wolfSSL

5 Reply by ajaygargnsit

(5 replies, posted in wolfSSL)

Thanks Kaleb for the WONDERFUL reply.
Thanks a ton for taking out the time for such exhaustively useful post !!!

In my particular case, I disabled client-certificate-authorization at the server.
That lowered the wolfSSL_connect bytes-exchanges from 17 KB to just 5 KB (as the server stopped sending the long list of allowed client-certificate-CA-names).

ajay@ajay-HP-15-Notebook-PC:~$ openssl s_client -connect device.instamsg.io:8883
CONNECTED(00000003)
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/OU=Domain Control Validated/OU=PositiveSSL Multi-Domain/CN=instamsg.io
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
 1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
 2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFfDCCBGSgAwIBAgIQQsXI79FMuyB92lRe0JjLYjANBgkqhkiG9w0BAQsFADCB
kDELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxNjA0BgNV
BAMTLUNPTU9ETyBSU0EgRG9tYWluIFZhbGlkYXRpb24gU2VjdXJlIFNlcnZlciBD
QTAeFw0xNzAyMDIwMDAwMDBaFw0yMDAzMDMyMzU5NTlaMFwxITAfBgNVBAsTGERv
bWFpbiBDb250cm9sIFZhbGlkYXRlZDEhMB8GA1UECxMYUG9zaXRpdmVTU0wgTXVs
dGktRG9tYWluMRQwEgYDVQQDEwtpbnN0YW1zZy5pbzCCASIwDQYJKoZIhvcNAQEB
BQADggEPADCCAQoCggEBAL87Q4NFR/U4rwIgn9MQqJDxj1PX6qpQ2vmUoNRnF71G
RI3mussdOa6vfkL64zUqpY/0G9QSLoV0Zj510X2FXeEaKbyUnOz1kbIYmQZs3rvi
P8Ou9052U70EeAoKxq2sJwUAxWBk2UkJJrCquYIUfqSUh6URzG1jJdzIxTkU1Mq4
nj2JAiJqtCcMm0pD0Tvrc9J/7bEx7N1/ldWG7cZqyQtD99ghwLsu4PvgF3tmDjJ5
8zDvmB4faesKRU9zdt04vQZj56yJTsO5j1OcHcQK+XoJljiagyQVPse+nOGFYnHU
xYCd6SV9eq1O9z0WhVOhkXsgedjMqpuhh7qV7l7oBfcCAwEAAaOCAgMwggH/MB8G
A1UdIwQYMBaAFJCvajqUWgvYkOoSVnPfQ7Q6KNrnMB0GA1UdDgQWBBSskCojIof2
LWYPlxTrJt8xFNPZMjAOBgNVHQ8BAf8EBAMCBaAwDAYDVR0TAQH/BAIwADAdBgNV
HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwTwYDVR0gBEgwRjA6BgsrBgEEAbIx
AQICBzArMCkGCCsGAQUFBwIBFh1odHRwczovL3NlY3VyZS5jb21vZG8uY29tL0NQ
UzAIBgZngQwBAgEwVAYDVR0fBE0wSzBJoEegRYZDaHR0cDovL2NybC5jb21vZG9j
YS5jb20vQ09NT0RPUlNBRG9tYWluVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBLmNy
bDCBhQYIKwYBBQUHAQEEeTB3ME8GCCsGAQUFBzAChkNodHRwOi8vY3J0LmNvbW9k
b2NhLmNvbS9DT01PRE9SU0FEb21haW5WYWxpZGF0aW9uU2VjdXJlU2VydmVyQ0Eu
Y3J0MCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5jb21vZG9jYS5jb20wUQYDVR0R
BEowSIILaW5zdGFtc2cuaW+CD2FwaS5pbnN0YW1zZy5pb4ISZGV2aWNlLmluc3Rh
bXNnLmlvghRwbGF0Zm9ybS5pbnN0YW1zZy5pbzANBgkqhkiG9w0BAQsFAAOCAQEA
JR1sFZ7kJGQwVuovmvGW1e+uEOEv+efVynekmMQp6UWWSfUBsGPXc64WwAlAQ3y9
hWkxUq7No4Oaf1jHg0VYukxSykbxVllMhsc2mZ2afOEjVYu6xAxzOzlFQ0748Q4F
RwkasGAhsWMOqcRWHrDwJ/Lqy9o36OYF3ZxvMe7u557CNaS2ua1AiXc3WzfTPovu
O9yC/xghDEZ1EAZqILr75CcDwPR9Gs1nlJJTFWGhUmp+OiwTiGKz9yg9RfrPEvBU
uytgDu7kSKkVo6J1L9lmFw/RAk98KPe4sR2zLPi3U+p1xajLK6rbrMZDXUyn8wN+
5snA04o4Dg9GPV/eakxBXA==
-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/OU=PositiveSSL Multi-Domain/CN=instamsg.io
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
---
No client certificate CA names sent
---
SSL handshake has read 4934 bytes and written 509 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-DES-CBC3-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-DES-CBC3-SHA
    Session-ID: 5A26271571D58DE8068741AD8E6B3DA949DEF9CCEB0B00906B884C5828F6B678
    Session-ID-ctx: 
    Master-Key: 0EBD937ADC38D5795F2AADDBAADE67CB49C70AF6F78B4775E3EBAB0A816CAC01374094534664A4C32B4B8D73BE8212BE
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1512449813
    Timeout   : 300 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
---

Curently, No client certificate CA names sent is sent.
Earlier (with client-cert-authorization optional at server), server used to send a LOONGG list of allowed-CAs.

Once again, thanks a ton for your time.
Please mark this thread as solved.


Thanks and Regards,
Ajay

Go to forum: wolfSSL

6 Reply by ajaygargnsit

(5 replies, posted in wolfSSL)

Hi All.

Sorry for the stupid questions, but the reason I ask is because the step 2) as per https://www.ibm.com/support/knowledgece … 10660_.htm , requires about 17 KB (16384 bytes to be exact) for server-digital-certificate exchange .

Above is fine for OSes like Ubuntu, but on SOCs running FreeRTOS+Lwip, this means ::

* At least 17 KB of RAM/Heap in user-space
* At least #define TCP_MSS 17000 in lwipopts.h


So, not feasible.


So, if I may frame my question more appropriately,

Does TLS always require an exchange of server-digital-certificate, or there are certain cipher-suites which do not require this server-digital-certificate exchange (in context of wolfSSL)?


Again, kindly forgive this noob for asking such basic questions.


Thanks and Regards,
Ajay

Go to forum: wolfSSL

7 Topic by ajaygargnsit

(5 replies, posted in wolfSSL)

Hi All.

We are trying to integrate wolfSSL in our framework, so that the framework is easy to integrate with ANY system.
For whatever device/system we port our framework for, the device/system will connect to our proprietary server only.

Now, assuming our server supports all cipher-suites/encryption-algorithms, which cipher-suite/encryption-algorithm (on the device/system) will generally have the lowest memory-requirements (mainly applicable during wolfSSL_connect stage)? I ask this, because if a particular cipher-suite/encryption-algorithm does have the lowest memory-requirements as compared to others (and provided our server supports that cipher-suite/encryption-algorithm), then we would enable ONLY that cipher-suite/encryption-algorithm in our framework (thus enabling minimum memory requirement across all devices/systems).


Sorry if I am asking a stupid question.


Thanks and Regards,
Ajay

Go to forum: wolfSSL

8 Reply by ajaygargnsit

(9 replies, posted in wolfSSL)

Thanks Kaleb ... that did it !!!

I don't think I would be allowed to change the server, plus we already have 10s of gateways (running on OpenSSL) connected to already-running server, so changing anything on the server is out of the question (at least till things work fine with both OpenSSL and WolfSSL).

Once again, thanks a ton ... and this thread can be marked as SOLVED (after probably adding the information in the title that the BUFFER_ERROR comes only on a 32-bit machine running Ubuntu).


Thanks Kaleb !!!!!!!!


Thanks and Regards,
Ajay

Go to forum: wolfSSL

9 Topic by ajaygargnsit

(2 replies, posted in wolfSSL)

Hi All.

Via awesome help via https://www.wolfssl.com/forums/topic113 … u1404.html , I have been able to run our application on Ubuntu-14.04, with all data being secured-over-wire.  Thanks Kaleb !!!

Now, I am trying to port the application to a SOC, using an ARM-processor.
Compilation has proceeded forward a good deal, however, I get the following errors ::

undefined reference to _open
undefined reference to _gettimeofday

Upon some googling, it looks that these are being caused due to linking of libc.a (I am using Atmel-Studio for compiling for SOC).


Also, following are the (additional) settings ::

#define HAVE_ECC
#define HAVE_ECC_SIGN
#define HAVE_ECC_VERIFY
#define HAVE_ECC_DHE
#define HAVE_ECC_KEY_IMPORT
#define HAVE_ECC_KEY_EXPORT

#define XMALLOC_USER
#define SINGLE_THREADED
#define NO_WRITEV
#define NO_AES
#define NO_FILESYSTEM
#define WOLFSSL_SMALL_STACK

Is there a way to overcome the errors? Or better still, to totally avoid linking of libc.a?


Thanks and Regards,
Ajay

Go to forum: wolfSSL

10 Reply by ajaygargnsit

(9 replies, posted in wolfSSL)

Hi Kaleb.

Thanks a ton for the help.

Yes, the server IP is 104.130.68.125.
Also, following is the complete blob while building/running the wolfSSL-connect from command line ::


ajay@ajay-HP-15-Notebook-PC:~/wolfssl$ git pull
Already up-to-date.

ajay@ajay-HP-15-Notebook-PC:~/wolfssl$ git diff HEAD

ajay@ajay-HP-15-Notebook-PC:~/wolfssl$ ./autogen.sh
autoreconf: Entering directory `.'
autoreconf: configure.ac: not using Gettext
autoreconf: running: aclocal --force -I m4
autoreconf: configure.ac: tracing
autoreconf: running: libtoolize --copy --force
libtoolize: putting auxiliary files in AC_CONFIG_AUX_DIR, `build-aux'.
libtoolize: copying file `build-aux/ltmain.sh'
libtoolize: putting macros in AC_CONFIG_MACRO_DIR, `m4'.
libtoolize: copying file `m4/libtool.m4'
libtoolize: copying file `m4/ltoptions.m4'
libtoolize: copying file `m4/ltsugar.m4'
libtoolize: copying file `m4/ltversion.m4'
libtoolize: copying file `m4/lt~obsolete.m4'
autoreconf: running: /usr/bin/autoconf --force
autoreconf: running: /usr/bin/autoheader --force
autoreconf: running: automake --add-missing --copy --force-missing
autoreconf: Leaving directory `.'

ajay@ajay-HP-15-Notebook-PC:~/wolfssl$ ./configure
checking build system type... i686-pc-linux-gnu
checking host system type... i686-pc-linux-gnu
checking for a BSD-compatible install... /usr/bin/install -c
checking whether build environment is sane... yes
checking for a thread-safe mkdir -p... /bin/mkdir -p
checking for gawk... gawk
checking whether make sets $(MAKE)... yes
checking whether make supports nested variables... yes
checking whether UID '1000' is supported by ustar format... yes
checking whether GID '1000' is supported by ustar format... yes
checking how to create a ustar tar archive... gnutar
checking how to print strings... printf
checking for style of include used by make... GNU
checking for gcc... gcc
checking whether the C compiler works... yes
checking for C compiler default output file name... a.out
checking for suffix of executables...
checking whether we are cross compiling... no
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ISO C89... none needed
checking whether gcc understands -c and -o together... yes
checking dependency style of gcc... gcc3
checking for a sed that does not truncate output... /bin/sed
checking for grep that handles long lines and -e... /bin/grep
checking for egrep... /bin/grep -E
checking for fgrep... /bin/grep -F
checking for ld used by gcc... /usr/bin/ld
checking if the linker (/usr/bin/ld) is GNU ld... yes
checking for BSD- or MS-compatible name lister (nm)... /usr/bin/nm -B
checking the name lister (/usr/bin/nm -B) interface... BSD nm
checking whether ln -s works... yes
checking the maximum length of command line arguments... 1572864
checking whether the shell understands some XSI constructs... yes
checking whether the shell understands "+="... yes
checking how to convert i686-pc-linux-gnu file names to i686-pc-linux-gnu format... func_convert_file_noop
checking how to convert i686-pc-linux-gnu file names to toolchain format... func_convert_file_noop
checking for /usr/bin/ld option to reload object files... -r
checking for objdump... objdump
checking how to recognize dependent libraries... pass_all
checking for dlltool... no
checking how to associate runtime and link libraries... printf %s\n
checking for ar... ar
checking for archiver @FILE support... @
checking for strip... strip
checking for ranlib... ranlib
checking command to parse /usr/bin/nm -B output from gcc object... ok
checking for sysroot... no
checking for mt... mt
checking if mt is a manifest tool... no
checking how to run the C preprocessor... gcc -E
checking for ANSI C header files... yes
checking for sys/types.h... yes
checking for sys/stat.h... yes
checking for stdlib.h... yes
checking for string.h... yes
checking for memory.h... yes
checking for strings.h... yes
checking for inttypes.h... yes
checking for stdint.h... yes
checking for unistd.h... yes
checking for dlfcn.h... yes
checking for objdir... .libs
checking if gcc supports -fno-rtti -fno-exceptions... no
checking for gcc option to produce PIC... -fPIC -DPIC
checking if gcc PIC flag -fPIC -DPIC works... yes
checking if gcc static flag -static works... yes
checking if gcc supports -c -o file.o... yes
checking if gcc supports -c -o file.o... (cached) yes
checking whether the gcc linker (/usr/bin/ld) supports shared libraries... yes
checking whether -lc should be explicitly linked in... no
checking dynamic linker characteristics... GNU/Linux ld.so
checking how to hardcode library paths into programs... immediate
checking whether stripping libraries is possible... yes
checking if libtool supports shared libraries... yes
checking whether to build shared libraries... yes
checking whether to build static libraries... no
checking for g++... g++
checking whether we are using the GNU C++ compiler... yes
checking whether g++ accepts -g... yes
checking dependency style of g++... gcc3
checking how to run the C++ preprocessor... g++ -E
checking for ld used by g++... /usr/bin/ld
checking if the linker (/usr/bin/ld) is GNU ld... yes
checking whether the g++ linker (/usr/bin/ld) supports shared libraries... yes
checking for g++ option to produce PIC... -fPIC -DPIC
checking if g++ PIC flag -fPIC -DPIC works... yes
checking if g++ static flag -static works... yes
checking if g++ supports -c -o file.o... yes
checking if g++ supports -c -o file.o... (cached) yes
checking whether the g++ linker (/usr/bin/ld) supports shared libraries... yes
checking dynamic linker characteristics... (cached) GNU/Linux ld.so
checking how to hardcode library paths into programs... immediate
checking whether the -Werror option is usable... yes
checking for simple visibility declarations... yes
checking whether make supports nested variables... (cached) yes
checking size of long long... 8
checking size of long... 4
checking for __uint128_t... no
checking for gethostbyname... yes
checking for getaddrinfo... yes
checking for gettimeofday... yes
checking for gmtime_r... yes
checking for inet_ntoa... yes
checking for memset... yes
checking for socket... yes
checking arpa/inet.h usability... yes
checking arpa/inet.h presence... yes
checking for arpa/inet.h... yes
checking fcntl.h usability... yes
checking fcntl.h presence... yes
checking for fcntl.h... yes
checking limits.h usability... yes
checking limits.h presence... yes
checking for limits.h... yes
checking netdb.h usability... yes
checking netdb.h presence... yes
checking for netdb.h... yes
checking netinet/in.h usability... yes
checking netinet/in.h presence... yes
checking for netinet/in.h... yes
checking stddef.h usability... yes
checking stddef.h presence... yes
checking for stddef.h... yes
checking sys/ioctl.h usability... yes
checking sys/ioctl.h presence... yes
checking for sys/ioctl.h... yes
checking sys/socket.h usability... yes
checking sys/socket.h presence... yes
checking for sys/socket.h... yes
checking sys/time.h usability... yes
checking sys/time.h presence... yes
checking for sys/time.h... yes
checking errno.h usability... yes
checking errno.h presence... yes
checking for errno.h... yes
checking for socket in -lnetwork... no
checking whether byte ordering is bigendian... no
checking for gcc... (cached) gcc
checking whether we are using the GNU C compiler... (cached) yes
checking whether gcc accepts -g... (cached) yes
checking for gcc option to accept ISO C89... (cached) none needed
checking whether gcc understands -c and -o together... (cached) yes
checking dependency style of gcc... (cached) gcc3
checking whether gcc and cc understand -c and -o together... yes
checking whether we are using the GNU C++ compiler... (cached) yes
checking whether g++ accepts -g... (cached) yes
checking dependency style of g++... (cached) gcc3
checking for size_t... yes
checking for uint8_t... yes
checking dependency style of gcc... gcc3
checking for cos in -lm... yes
checking for thread local storage (TLS) class... __thread
checking for debug... no
checking for the pthreads library -lpthreads... no
checking whether pthreads work without any flags... no
checking whether pthreads work with -Kthread... no
checking whether pthreads work with -kthread... no
checking for the pthreads library -llthread... no
checking whether pthreads work with -pthread... yes
checking for joinable pthread attribute... PTHREAD_CREATE_JOINABLE
checking if more special flags are required for pthreads... no
checking for PTHREAD_PRIO_INHERIT... yes
checking for fast RSA... no
checking for library containing gethostbyname... none required
checking for library containing socket... none required
checking for vcs system... git
checking for vcs checkout... yes
checking whether the linker accepts -Werror... yes
checking whether the linker accepts -z relro -z now... yes
checking whether the linker accepts -pie... yes
checking whether C compiler accepts ... yes
checking whether C compiler accepts -Werror... yes
checking whether C compiler accepts -Wno-pragmas... yes
checking whether C compiler accepts -Wall... yes
checking whether C compiler accepts -Wno-strict-aliasing... yes
checking whether C compiler accepts -Wextra... yes
checking whether C compiler accepts -Wunknown-pragmas... yes
checking whether C compiler accepts -Wthis-test-should-fail... no
checking whether C compiler accepts --param=ssp-buffer-size=1... yes
checking whether C compiler accepts -Waddress... yes
checking whether C compiler accepts -Warray-bounds... yes
checking whether C compiler accepts -Wbad-function-cast... yes
checking whether C compiler accepts -Wchar-subscripts... yes
checking whether C compiler accepts -Wcomment... yes
checking whether C compiler accepts -Wfloat-equal... yes
checking whether C compiler accepts -Wformat-security... yes
checking whether C compiler accepts -Wformat=2... yes
checking whether C compiler accepts -Wmaybe-uninitialized... yes
checking whether C compiler accepts -Wmissing-field-initializers... yes
checking whether C compiler accepts -Wmissing-noreturn... yes
checking whether C compiler accepts -Wmissing-prototypes... yes
checking whether C compiler accepts -Wnested-externs... yes
checking whether C compiler accepts -Wnormalized=id... yes
checking whether C compiler accepts -Woverride-init... yes
checking whether C compiler accepts -Wpointer-arith... yes
checking whether C compiler accepts -Wpointer-sign... yes
checking whether C compiler accepts -Wredundant-decls... yes
checking whether C compiler accepts -Wshadow... yes
checking whether C compiler accepts -Wshorten-64-to-32... no
checking whether C compiler accepts -Wsign-compare... yes
checking whether C compiler accepts -Wstrict-overflow=1... yes
checking whether C compiler accepts -Wstrict-prototypes... no
checking whether C compiler accepts -Wswitch-enum... yes
checking whether C compiler accepts -Wundef... yes
checking whether C compiler accepts -Wunused... yes
checking whether C compiler accepts -Wunused-result... yes
checking whether C compiler accepts -Wunused-variable... yes
checking whether C compiler accepts -Wwrite-strings... yes
checking whether C compiler accepts -fwrapv... yes
creating wolfssl-config - generic 3.12.2 for -lwolfssl
checking the number of available CPUs... 4
configure: adding automake macro support
configure: creating aminclude.am
configure: added jobserver support to make for 5 jobs
checking that generated files are newer than configure... done
configure: creating ./config.status
config.status: creating stamp-h
config.status: creating Makefile
config.status: creating wolfssl/version.h
config.status: creating wolfssl/options.h
config.status: creating support/wolfssl.pc
config.status: creating rpm/spec
config.status: creating config.h
config.status: config.h is unchanged
config.status: executing depfiles commands
config.status: executing libtool commands
---
Running make clean...
---
Generating user options header...
not outputting (N)DEBUG to wolfssl/options.h
option w/o begin -D is -pthread, not saving to wolfssl/options.h
option w/o begin -D is -Wall, not saving to wolfssl/options.h
option w/o begin -D is -Wno-unused, not saving to wolfssl/options.h
option w/o begin -D is -Os, not saving to wolfssl/options.h
option w/o begin -D is -fomit-frame-pointer, not saving to wolfssl/options.h


---
Configuration summary for wolfssl version 3.12.2

   * Installation prefix:        /usr/local
   * System type:                pc-linux-gnu
   * Host CPU:                   i686
   * C Compiler:                 gcc
   * C Flags:                     -Werror -Wno-pragmas -Wall -Wno-strict-aliasing -Wextra -Wunknown-pragmas --param=ssp-buffer-size=1 -Waddress -Warray-bounds -Wbad-function-cast -Wchar-subscripts -Wcomment -Wfloat-equal -Wformat-security -Wformat=2 -Wmaybe-uninitialized -Wmissing-field-initializers -Wmissing-noreturn -Wmissing-prototypes -Wnested-externs -Wnormalized=id -Woverride-init -Wpointer-arith -Wpointer-sign -Wredundant-decls -Wshadow -Wsign-compare -Wstrict-overflow=1 -Wswitch-enum -Wundef -Wunused -Wunused-result -Wunused-variable -Wwrite-strings -fwrapv
   * C++ Compiler:               g++
   * C++ Flags:                  -g -O2
   * CPP Flags:                   -fvisibility=hidden
   * CCAS Flags:                
   * LIB Flags:                   -pie -z relro -z now -Werror
   * Debug enabled:              no
   * Coverage enabled:          
   * Warnings as failure:        yes
   * make -j:                    5
   * VCS checkout:               yes

   Features
   * Single threaded:            no
   * Filesystem:                 yes
   * OpenSSH Build:              no
   * OpenSSL Extra API:          no
   * OpenSSL Coexist:            no
   * Old Names:                  yes
   * Max Strength Build:         no
   * Distro Build:               no
   * fastmath:                   no
   * Assembly Allowed:           yes
   * sniffer:                    no
   * snifftest:                  no
   * ARC4:                       no
   * AES:                        yes
   * AES-NI:                     no
   * AES-GCM:                    yes
   * AES-CCM:                    no
   * AES-CTR:                    no
   * DES3:                       no
   * IDEA:                       no
   * Camellia:                   no
   * NULL Cipher:                no
   * MD5:                        yes
   * RIPEMD:                     no
   * SHA:                        yes
   * SHA-224:                    no
   * SHA-512:                    no
   * SHA3:                       no
   * BLAKE2:                     no
   * CMAC:                       no
   * keygen:                     no
   * certgen:                    no
   * certreq:                    no
   * certext:                    no
   * HC-128:                     no
   * RABBIT:                     no
   * CHACHA:                     yes
   * Hash DRBG:                  yes
   * PWDBASED:                   no
   * scrypt:                     no
   * wolfCrypt Only:             no
   * HKDF:                       no
   * X9.63 KDF:                  no
   * MD4:                        no
   * PSK:                        no
   * Poly1305:                   yes
   * LEANPSK:                    no
   * LEANTLS:                    no
   * RSA:                        yes
   * RSA-PSS:                    no
   * DSA:                        no
   * DH:                         yes
   * ECC:                        no
   * CURVE25519:                 no
   * ED25519:                    no
   * FPECC:                      no
   * ECC_ENCRYPT:                no
   * ASN:                        yes
   * Anonymous cipher:           no
   * CODING:                     yes
   * MEMORY:                     yes
   * I/O POOL:                   no
   * LIGHTY:                     no
   * HAPROXY:                    no
   * STUNNEL:                    no
   * NGINX:                      no
   * ERROR_STRINGS:              yes
   * DTLS:                       no
   * SCTP:                       no
   * Multicast:                  no
   * Old TLS Versions:           yes
   * SSL version 3.0:            no
   * TLS v1.0:                   no
   * TLS v1.3:                   no
   * TLS v1.3 Draft 18:          no
   * Post-handshake Auth:        no
   * Early Data:                 no
   * Send State in HRR Cookie:   no
   * OCSP:                       no
   * OCSP Stapling:              no
   * OCSP Stapling v2:           no
   * CRL:                        no
   * CRL-MONITOR:                no
   * Persistent session cache:   no
   * Persistent cert    cache:   no
   * Atomic User Record Layer:   no
   * Public Key Callbacks:       no
   * NTRU:                       no
   * QSH:                        no
   * Whitewood netRandom:        no
   * Server Name Indication:     no
   * ALPN:                       no
   * Maximum Fragment Length:    no
   * Truncated HMAC:             no
   * Supported Elliptic Curves:  no
   * Session Ticket:             no
   * Extended Master Secret:     yes
   * Renegotiation Indication:   no
   * Secure Renegotiation:       no
   * All TLS Extensions:         no
   * PKCS#7                      no
   * wolfSSH                     no
   * wolfSCEP                    no
   * Secure Remote Password      no
   * Small Stack:                no
   * valgrind unit tests:        no
   * LIBZ:                       no
   * Examples:                   yes
   * User Crypto:                no
   * Fast RSA:                   no
   * Single Precision:           no
   * Async Crypto:               no
   * Cavium:                     no
   * ARM ASM:                    no
   * AES Key Wrap:               no
   * Write duplicate:            no
   * Intel Quick Assist:         no
   * Xilinx Hardware Acc.:       no

---


ajay@ajay-HP-15-Notebook-PC:~/wolfssl$ make
make -j5  all-am
make[1]: Entering directory '/home/ajay/wolfssl'
  CC       wolfcrypt/src/src_libwolfssl_la-hmac.lo
  CC       wolfcrypt/src/src_libwolfssl_la-hash.lo
  CC       wolfcrypt/src/src_libwolfssl_la-sha256.lo
  CC       wolfcrypt/src/src_libwolfssl_la-random.lo
  CC       wolfcrypt/src/src_libwolfssl_la-cpuid.lo
  CC       wolfcrypt/src/src_libwolfssl_la-rsa.lo
  CC       wolfcrypt/src/src_libwolfssl_la-aes.lo
  CC       wolfcrypt/src/src_libwolfssl_la-sha.lo
  CC       wolfcrypt/src/src_libwolfssl_la-logging.lo
  CC       wolfcrypt/src/src_libwolfssl_la-wc_encrypt.lo
  CC       wolfcrypt/src/src_libwolfssl_la-wc_port.lo
  CC       wolfcrypt/src/src_libwolfssl_la-error.lo
  CC       wolfcrypt/src/src_libwolfssl_la-signature.lo
  CC       wolfcrypt/src/src_libwolfssl_la-memory.lo
  CC       wolfcrypt/src/src_libwolfssl_la-wolfmath.lo
  CC       wolfcrypt/src/src_libwolfssl_la-asn.lo
  CC       wolfcrypt/src/src_libwolfssl_la-dh.lo
  CC       wolfcrypt/src/src_libwolfssl_la-coding.lo
  CC       wolfcrypt/src/src_libwolfssl_la-poly1305.lo
  CC       wolfcrypt/src/src_libwolfssl_la-md5.lo
  CC       wolfcrypt/src/src_libwolfssl_la-chacha.lo
  CC       wolfcrypt/src/src_libwolfssl_la-chacha20_poly1305.lo
  CC       wolfcrypt/src/src_libwolfssl_la-integer.lo
  CC       src/src_libwolfssl_la-internal.lo
  CC       src/src_libwolfssl_la-wolfio.lo
  CC       src/src_libwolfssl_la-keys.lo
  CC       src/src_libwolfssl_la-ssl.lo
  CC       src/src_libwolfssl_la-tls.lo
  CC       wolfcrypt/benchmark/benchmark.o
  CC       wolfcrypt/test/test.o
  CC       examples/client/client.o
  CC       examples/echoclient/echoclient.o
  CC       examples/echoserver/echoserver.o
  CC       examples/server/server.o
  CC       wolfcrypt/test/testsuite_testsuite_test-test.o
  CC       examples/client/testsuite_testsuite_test-client.o
  CC       examples/echoclient/testsuite_testsuite_test-echoclient.o
  CC       examples/echoserver/testsuite_testsuite_test-echoserver.o
  CC       testsuite/testsuite_testsuite_test-testsuite.o
  CC       examples/server/testsuite_testsuite_test-server.o
  CC       tests/tests_unit_test-unit.o
  CC       tests/tests_unit_test-api.o
  CC       tests/tests_unit_test-suites.o
  CC       tests/tests_unit_test-hash.o
  CC       tests/tests_unit_test-srp.o
  CC       examples/client/tests_unit_test-client.o
  CCLD     src/libwolfssl.la
  CC       examples/server/tests_unit_test-server.o
  CCLD     wolfcrypt/test/testwolfcrypt
  CCLD     wolfcrypt/benchmark/benchmark
  CCLD     examples/client/client
  CCLD     examples/echoclient/echoclient
  CCLD     examples/echoserver/echoserver
  CCLD     examples/server/server
  CCLD     testsuite/testsuite.test
  CCLD     tests/unit.test
make[1]: Leaving directory '/home/ajay/wolfssl'

ajay@ajay-HP-15-Notebook-PC:~/wolfssl$ ./examples/client/client -h device.instamsg.io -p 8883 -x -d -g
wolfSSL_connect error -328, malformed buffer input error
wolfSSL error: wolfSSL_connect failed

Please note that I have not made any custom-changes so far in the locally-cloned repository.
So, will be grateful to know what am I missing.

Once again, thanks a ton for your time.


Thanks and Regards,
Ajay

Go to forum: wolfSSL

11 Reply by ajaygargnsit

(9 replies, posted in wolfSSL)

More information :

Doing the following returns BUFFER_ERROR (-328) as well ::

ajay@ajay-HP-15-Notebook-PC:~/wolfssl$ ./examples/client/client -h device.instamsg.io -p 8883 -x -d
wolfSSL_connect error -328, malformed buffer input error
wolfSSL error: wolfSSL_connect failed

Is there something wrong with the server?
The same server-port combination worked fine when we used OpenSSL-client(s).


Will be grateful for some help.


Thanks and Regards,
Ajay

Go to forum: wolfSSL

12 Reply by ajaygargnsit

(9 replies, posted in wolfSSL)

Hi Experts.

Please help !!

Kindly let know if any further information is needed to diagnose the issue; I will try and revert back promptly with whatever it takes to find the root-cause.



Thanks and Regards,
Ajay

Go to forum: wolfSSL

13 Reply by ajaygargnsit

(9 replies, posted in wolfSSL)

Hi All.

Just noticed, that the point where BUFFER_ERROR is being raised, the difference between

inputLength + ssl->arrays->pendingMsgOffset - ssl->arrays->pendingMsgSz
= 119 + 11284 - 11399
= 4

which is exactly equal to HANDSHAKE_HEADER_SZ.
Also, I see a lot of code thereafter where buffers are being copied with adding/subtracting HANDSHAKE_HEADER_SZ.

So, definitely looks like some code needs to be fixed; concerned owners kindly look smile

Thanks and Regards,
Ajay

Go to forum: wolfSSL

14 Reply by ajaygargnsit

(9 replies, posted in wolfSSL)

Hi Kaleb.

Thanks for the help.


The procedure I am using is per your suggestion (sorry the names confused you).
Following is the sequence (not compilable code, but should give a fair idea) ::

    wolfSSL_Init();

    solitary_ssl_ctx = wolfSSL_CTX_new(wolfSSLv23_client_method());
    if(solitary_ssl_ctx == NULL)
    {
        HANDLE_CATASTROPHIC_INIT_ERROR(PROSTR("wolfSSL_CTX_new"), 1)
    }

    wolfSSL_CTX_set_verify(solitary_ssl_ctx, SSL_VERIFY_NONE, 0);

    custom_socket_struct->ssl = wolfSSL_new(solitary_ssl_ctx);
    if(socket->ssl == NULL)
    {
        HANDLE_CATASTROPHIC_INIT_ERROR(PROSTR("wolfSSL_new"), 0)
    }

The same can be confirmed, in the wolfSSL-debug-logs that I pasted in my earlier post.


Thanks and Regards,
Ajay

Go to forum: wolfSSL

15 Topic by ajaygargnsit

(9 replies, posted in wolfSSL)

Hi All.

Initiallly, I connected my client using OpenSSL to our proprietary server, and all things were cool.

Now, we are trying to switch to wolfSSL, and followed the steps as per https://github.com/wolfSSL/wolfssl-exam … ient-tls.c , with important differences being ::

    * We are not using client-certificate for authorization (just require TLS).
       So, we have not added Load client certificates into WOLFSSL_CTX step.

    * We have added the additional wolfSSL_CTX_set_verify(ssl, SSL_VERIFY_NONE, 0); before wolfSSL_connect


Just to clarify, our OpenSSL-client connects fine even without loading client-certificate, hence the avoidance of certificate-loading step.


Things proceed to some extent, but then the wolfSSL_connect step fails at line https://github.com/wolfSSL/wolfssl/blob … al.c#L9774

Following are the wolfSSL-logs, plus some of my custom-logs prepended with ==>
Also, I have added the parameter-values in the last log, that is causing the BUFFER_ERROR to be hit.

Entering [wolfSSL_Init]
Entering [wolfCrypt_Init]
Entering [WOLFSSL_CTX_new_ex]
Entering [wolfSSL_CertManagerNew]
Leaving [WOLFSSL_CTX_new] with return-code [0]
Entering [wolfSSL_CTX_set_verify]
Entering [SSL_new]
Leaving [SSL_new] with return-code [0]
Entering [SSL_connect()]
growing output buffer

Shrinking output buffer

connect state: CLIENT_HELLO_SENT
==> wanting [5] bytes
==> read [5] bytes
==> got success
growing input buffer

==> wanting [16384] bytes
==> read [8635] bytes
==> read [2880] bytes
==> read [2880] bytes
==> read [1989] bytes
==> got success
received record layer msg
Entering [DoHandShakeMsg()]
Entering [DoHandShakeMsgType]
processing server hello
Entering [VerifyClientSuite]
Leaving [DoHandShakeMsgType()] with return-code [0]
Leaving [DoHandShakeMsg()] with return-code [0]
More messages in record
received record layer msg
Entering [DoHandShakeMsg()]
Entering [DoHandShakeMsgType]
processing certificate
Entering [ProcessPeerCerts]
Loading peer's cert chain
    Put another cert into chain
    Put another cert into chain
    Put another cert into chain
Entering [GetExplicitVersion]
Entering [GetSerialNumber]
Got Cert Header
Entering [GetAlgoId]
Entering [GetObjectId()]
Got Algo ID
Getting Cert Name
Getting Cert Name
Got Subject Name
Entering [GetAlgoId]
Entering [GetObjectId()]
Got Key
Parsed Past Key
Entering [DecodeCertExtensions]
Entering [GetObjectId()]
Entering [DecodeAuthKeyId]
Entering [GetObjectId()]
Entering [DecodeSubjKeyId]
Entering [GetObjectId()]
Entering [DecodeKeyUsage]
Entering [GetObjectId()]
Entering [DecodeBasicCaConstraint]
Entering [GetObjectId()]
Certificate Policy extension not supported yet.
Entering [GetObjectId()]
Entering [DecodeCrlDist]
Entering [GetObjectId()]
Entering [DecodeAuthInfo]
Entering [GetObjectId()]
Entering [GetAlgoId]
Entering [GetObjectId()]
Chain cert not verified by option, not adding as CA
Entering [GetExplicitVersion]
Entering [GetSerialNumber]
Got Cert Header
Entering [GetAlgoId]
Entering [GetObjectId()]
Got Algo ID
Getting Cert Name
Getting Cert Name
Got Subject Name
Entering [GetAlgoId]
Entering [GetObjectId()]
Got Key
Parsed Past Key
Entering [DecodeCertExtensions]
Entering [GetObjectId()]
Entering [DecodeAuthKeyId]
Entering [GetObjectId()]
Entering [DecodeSubjKeyId]
Entering [GetObjectId()]
Entering [DecodeKeyUsage]
Entering [GetObjectId()]
Entering [DecodeBasicCaConstraint]
Entering [GetObjectId()]
Entering [DecodeExtKeyUsage]
Entering [GetObjectId()]
Entering [GetObjectId()]
Entering [GetObjectId()]
Certificate Policy extension not supported yet.
Entering [GetObjectId()]
Entering [DecodeCrlDist]
Entering [GetObjectId()]
Entering [DecodeAuthInfo]
Entering [GetObjectId()]
Entering [GetObjectId()]
Entering [GetAlgoId]
Entering [GetObjectId()]
Chain cert not verified by option, not adding as CA
Verifying Peer's cert
Entering [GetExplicitVersion]
Entering [GetSerialNumber]
Got Cert Header
Entering [GetAlgoId]
Entering [GetObjectId()]
Got Algo ID
Getting Cert Name
Getting Cert Name
Got Subject Name
Entering [GetAlgoId]
Entering [GetObjectId()]
Got Key
Parsed Past Key
Entering [DecodeCertExtensions]
Entering [GetObjectId()]
Entering [DecodeAuthKeyId]
Entering [GetObjectId()]
Entering [DecodeSubjKeyId]
Entering [GetObjectId()]
Entering [DecodeKeyUsage]
Entering [GetObjectId()]
Entering [DecodeBasicCaConstraint]
Entering [GetObjectId()]
Entering [DecodeExtKeyUsage]
Entering [GetObjectId()]
Entering [GetObjectId()]
Entering [GetObjectId()]
Certificate Policy extension not supported yet.
Entering [GetObjectId()]
Entering [DecodeCrlDist]
Entering [GetObjectId()]
Entering [DecodeAuthInfo]
Entering [GetObjectId()]
Entering [GetObjectId()]
Entering [GetObjectId()]
Entering [DecodeAltNames]
Entering [GetAlgoId]
Entering [GetObjectId()]
Verified Peer's cert
Leaving [ProcessPeerCerts] with return-code [0]
Leaving [DoHandShakeMsgType()] with return-code [0]
Leaving [DoHandShakeMsg()] with return-code [0]
More messages in record
received record layer msg
Entering [DoHandShakeMsg()]
Entering [DoHandShakeMsgType]
processing server key exchange
Entering [DoServerKeyExchange]
Entering [RsaVerify]
Leaving [RsaVerify] with return-code [51]
Leaving [DoServerKeyExchange] with return-code [0]
Leaving [DoHandShakeMsgType()] with return-code [0]
Leaving [DoHandShakeMsg()] with return-code [0]
More messages in record
received record layer msg
Entering [DoHandShakeMsg()]
==> wanting [5] bytes
==> read [5] bytes
==> got success
==> wanting [119] bytes
==> read [119] bytes
==> got success
received record layer msg
Entering [DoHandShakeMsg()]
==> inputLength = [119], ssl->arrays->pendingMsgOffset = [11284], ssl->arrays->pendingMsgSz = [11399]

What am I missing?


Will be grateful for reply.

Thanks and Regards,
Ajay

Go to forum: wolfSSL