376 Reply by chrisc

(3 replies, posted in wolfSSL)

Hi,

We have a problem during the client-server communication, where the server doesn't complete the SSL handshake. This cause the connect function to be stuck forever and it never returns.

Do you know where the SSL handshake is getting stuck?  Have you turned on wolfSSL debug messages?  You can do so by adding DEBUG_WOLFSSL to your preprocessor flags, then calling wolfSSL_Debugging_ON() / wolfSSL_Debugging_OFF() from your code.

We want to have a (blocking) connect function that we can call with a timeout, and if it doesn't able to complete the connection during that timeout, it simply returns with an error. Can I do that at all?

By default wolfSSL uses send() and recv() in its default I/O callbacks.  You should be able to set a timeout value on your socket when you initially create it, using setsockopt().

Because we failed to do the above, we thought of using the non-blocking connect call. The problem was, we couldn't compile it with WOLFSSL_CALLBACKS set.  Can I do that without defining WOLFSSL_CALLBACKS?

Yes, you can use non-blocking I/O without defining WOLFSSL_CALLBACKS.  woflSSL can use either blocking or non-blocking I/O.  See the API reference for wolfSSL_connect(), wolfSSL_accept(), wolfSSL_read(), or wolfSSL_write() for more info on how each works when non-blocking I/O is used.

Our example client and server are also set up to do non-blocking I/O when the "-N" command line option is used.  Feel free to look at client.c or server.c for example usage.

Best Regards,
Chris

Go to forum: wolfSSL

377 Reply by chrisc

(3 replies, posted in wolfSSL)

Hi dtiemann,

A return value of -4 is an SSL_BAD_FILE error.  Can you double check the formatting of your PEM string?  You should have the header and footer and you should have lines separated with a LF or CRLF.

Regards,
Chris

Go to forum: wolfSSL

378 Reply by chrisc

(2 replies, posted in wolfSSL)

Hi raphaell,

Can you try using C_EXTRA_FLAGS instead of CFLAGS when configuring wolfSSL embedded SSL? 

A while back we switched reading additional flags in from the user from CFLAGS to C_EXTRA_FLAGS to avoid conflicts with modifications we have made to the ./configure system.

Thanks,
Chris

Go to forum: wolfSSL

379 Reply by chrisc

(3 replies, posted in wolfSSL)

Hi Mor,

It looks like WOLFSSL_CALLBACKS doesn't currently support Windows, as like you noted, it uses <sys/time.h>.  Will you need to use WOLFSSL_CALLBACKS?  The handshake callback (WOLFSSL_CALLBACKS) is intended for embedded systems for debugging support.  That is, when a good debugger isn't available and sniffing is impractical.  It basically allows a trace of the handshake embedded SSL.

Regards,
Chris

Go to forum: wolfSSL

380 Reply by chrisc

(3 replies, posted in wolfSSL)

Hi dtiemann,

wolfSSL_KeyPemToDer() is currently only compiled into wolfSSL if our OpenSSL compatibility layer has been defined when building wolfSSL.

You can enable the compatibility layer by using the --enable-opensslextra ./configure option, or by adding OPENSSL_EXTRA to your list of preprocessor flags.

Can you give this a try and let me know if it works for you?

Thanks,
Chris

Go to forum: wolfSSL

381 Reply by chrisc

(21 replies, posted in wolfSSL)

Hi Everyone,

Just a quick note that we now have our updated wolfSSL Porting Guide online, with a PDF version available for download:

http://yassl.com/yaSSL/Docs-cyassl-porting-guide.html

Please let us know if you have any questions.

Best Regards,
Chris

Go to forum: wolfSSL

382 Reply by chrisc

(2 replies, posted in wolfSSL)

Hi,

wolfSSL's OpenSSL compatibility layer was designed to make porting into existing OpenSSL applications easier, but is far from complete.  It maps roughly the most-used 300 OpenSSL functions to the native wolfSSL API, where OpenSSL has over 4,000 in total.

It sounds like the functions you have listed are related to certificate generation.  For an example of how wolfSSL does certificate generation, see ./ctaocrypt/test/test.c, specifically the code inside of the #ifdef WOLFSSL_CERT_GEN define of rsa_test().

a. SSL_get_privatekey

wolfSSL doesn't currently support this function.  For certificate generation, wolfSSL uses an RsaKey structure, which contains a RSA private key.  A private key buffer (in DER format) can be loaded into an RsaKey structure using the RsaPrivateKeyDecode() function.

b. X509_set_version

In OpenSSL, this function lets the application set the X.509 certificate version to use.  wolfSSL embedded SSL only supports X.509 V3 certificate generation.  As such, this function is not needed with wolfSSL.

c. X509_set_serialNumber

When doing certificate generation with wolfSSL, the serial number can be set directly by the user when filling in the "Cert" structure.

d. X509_NAME_add_entry_by_txt

Like the previous function, certificate fields can be set directly by the user when filling in the "Cert" structure.

e. X509_sign

wolfSSL's equivalent to X509_sign() would be the SignCert() function, with usage shown in rsa_test() of test.c.

Best Regards,
Chris

Go to forum: wolfSSL

383 Reply by chrisc

(21 replies, posted in wolfSSL)

Hi Bart and Roberto,

You should both be receiving the wolfSSL Porting Guide in your email inbox soon.

Thanks,
Chris

Go to forum: wolfSSL

384 Reply by chrisc

(8 replies, posted in wolfSSL)

Hi Lukas,

We haven't found time yet to add support for secure renegotiation, but it's still on our list.

Best Regards,
Chris

Go to forum: wolfSSL

385 Reply by chrisc

(1 replies, posted in wolfSSL)

Hi Zeddi,

That will be fixed in the next wolfSSL release.  We updated it in our GitHub repository a couple days ago (https://github.com/cyassl/cyassl/commit … 59e45b02c8), so feel free to use the updated certificate found there.

Best Regards,
Chris

Go to forum: wolfSSL

386 Reply by chrisc

(21 replies, posted in wolfSSL)

Hi Gnate,

Hopefully I'll get time to publish the guide on our website soon.  I'll email it over to you for your reference.

Regarding integrating wolfSSL with LwIP, wolfSSL currently can use LwIP out-of-the-box when WOLFSSL_LWIP is defined - as long as LwIP is using the BSD style socket API. 

If you need to use the RAW LwIP API, like you mentioned above, you'll have to write and register your own I/O callbacks with wolfSSL.  Info about I/O callbacks can be found in Section 5.1.2 of the wolfSSL Manual (http://yassl.com/yaSSL/Docs-cyassl-manu … ility.html).  If you run into any questions, feel free to reach out to us at support@wolfssl.com.

Best Regards,
Chris

Go to forum: wolfSSL

387 Reply by chrisc

(2 replies, posted in wolfSSL)

Hi Daniel,

You are correct in your findings.  Our client/server examples currently assume that there will be a file system available.  We'll need to work on making those easier to use in filesystem-less environments.

You'd need to use the buffer loading functions to load your certificates and keys instead of the file loading functions, ie:

wolfSSL_CTX_load_verify_buffer
wolfSSL_CTX_use_certificate_buffer
wolfSSL_CTX_use_PrivateKey_buffer
etc.

Best Regards,
Chris

Go to forum: wolfSSL

388 Reply by chrisc

(21 replies, posted in wolfSSL)

Hi abak2409,

I just sent you a PM.

Best Regards,
Chris

Go to forum: wolfSSL

389 Reply by chrisc

(1 replies, posted in wolfSSL)

Hi,

This seems to be an issue where the CURL configure system isn't setting SIZEOF_LONG_LONG for your platform.  I'll look into it and get back to you with a more permanent solution, but as a temporary fix, you can define SIZEOF_LONG_LONG manually during CURL's ./configure process, making your ./configure line similar to:

./configure CFLAGS=-DSIZEOF_LONG_LONG=8 --prefix=/home/chris/installed_library/curl-7.32.0 --without-ssl --with-cyassl==/home/chris/installed_library/cyassl-2.8.0

where sizeof(long long) would equal 8 on your platform.

Best Regards,
Chris

Go to forum: wolfSSL

390 Reply by chrisc

(1 replies, posted in wolfSSL)

Hi Yun,

Your understanding of RsaPrivateKeyDecode() is correct.  It is used to decode a key from a DER format into an RsaKey structure. 

SSL_FILETYPE_RAW is used with NTRU (a separate public key algorithm which CyaSSL supports).  DER format is indicated by SSL_FILETYPE_ASN1.

Best Regards,
Chris

Go to forum: wolfSSL

391 Reply by chrisc

(21 replies, posted in wolfSSL)

Hi Robin,

You should be receiving the porting guide via email shortly.

Best Regards,
Chris

Go to forum: wolfSSL

392 Reply by chrisc

(3 replies, posted in wolfSSL)

Hi,

Currently wolfSSL embedded SSL doesn't have the ability to generate a CSR.  We have had a few inquiries recently about CSR generation though.  Are you able to share any details about the project you are working on?

Thanks,
Chris

Go to forum: wolfSSL

393 Reply by chrisc

(21 replies, posted in wolfSSL)

Hi SLR,

At the moment, it isn't available on our site yet.  We have plans of getting it posted, but until then, I'll just send it to you in an email.

Best Regards,
Chris

Go to forum: wolfSSL

394 Reply by chrisc

(3 replies, posted in wolfSSL)

Hi ctb,

Yes, the AesEncryptDirect() and AesDecryptDirect() functions just do a direct ECB-mode AES operation.  These are left out of the documentation because ECB (Electronic codebook) mode is not regarded as very secure.  If you take a look at the penguin image on the following Wikipedia page under the "ECB" section, you will see that it doesn't hide patterns very well:

https://en.wikipedia.org/wiki/Block_cip … _operation

Best Regards,
Chris

Go to forum: wolfSSL

395 Reply by chrisc

(7 replies, posted in wolfSSL)

Spoke too soon... should be updated now.

Thanks,
Chris

Go to forum: wolfSSL

396 Reply by chrisc

(7 replies, posted in wolfSSL)

Hi ctb,

It looks like this has been fixed post-5.2.1.  You can view our most current version of the CTaoCrypt usage reference online, here:  http://yassl.com/yaSSL/Docs-cyassl-manu … rence.html.

A new version of the PDF Manual will be released with our upcoming 2.8.0 release.

Thanks,
Chris

Go to forum: wolfSSL

397 Reply by chrisc

(18 replies, posted in wolfSSL)

Hi Hans-Jürgen,

The reason that OpenSSL worked in this case is because when s_client received the client certificate request, it was sending a blank client certificate automatically (without you having to load one).  With wolfSSL 2.7.0 on the other hand, if the application didn't load a client certificate, and the server requested one, wolfSSL wouldn't send a blank client certificate with TLS 1.0 or TLS 1.1 because it wasn't required by the RFC.  Only with TLS 1.2 (as required).

We just fixed this issue as of this commit (https://github.com/cyassl/cyassl/commit … 6e99d21ac6).  If you update to our latest GitHub code, your connection should now work as expected.  wolfSSL will now send a blank client certificate for TLS 1.0, 1.1, and 1.2 if the server requests one and the application has not loaded a client certificate.

Best Regards,
Chris

Go to forum: wolfSSL

398 Reply by chrisc

(1 replies, posted in wolfSSL)

Hi Steffen,

Can you check to make sure you have the same preprocessor flags set in both your CyaSSL project file as well as your ConsoleApplication2 project file?  A mismatch in these will cause the internal Sha structure sizes to differ, thus causing problems.

Thanks,
Chris

Go to forum: wolfSSL

399 Reply by chrisc

(2 replies, posted in wolfSSL)

WolfSSL can be used with the LwIP stack, and is generally fairly easy to get running on a variety of processors. To use wolfSSL with LwIP, you'll need to define CYASSL_LWIP in <cyassl_root>/cyassl/ctaocrypt/settings.h when compiling wolfSSL. By default, wolfSSL uses the LwIP BSD Socket API. You'll need to have this enabled in your LwIP stack.

Regarding getting wolfSSL embedded SSL running on your processors, you'll need to make sure that you:

1) Define SIZEOF_LONG and SIZEOF_LONG_LONG to match the output of sizeof(long) and sizeof(long long) respectively for your platform

2) Set the correct endianness for your processor. Define BIG_ENDIAN_ORDER if big endian, otherwise define LITTLE_ENDIAN_ORDER if little endian.

Go to forum: wolfSSL

400 Reply by chrisc

(1 replies, posted in wolfSSL)

Hi,

You'll need to do a couple of things to build the existing Visual Studio wolfSSL project file with NO_RSA and HAVE_ECC:

1.  In the Visual Studio project file for wolfSSL embedded SSL, you'll need to add NO_RSA and HAVE_ECC to the Preprocessor Definitions.

2.  You'll need to remove the OPENSSL_EXTRA define already listed in the preprocessor definitions in the project settings.

3.  You'll need to add the ./ctaocrypt/src/ecc.c source file to the "Source Files" list in Visual Studio.

4.  Clean and re-build the wolfSSL project.

Best Regards,
Chris

Go to forum: wolfSSL