dgarske wrote:

Hi windyMk92,

Can you share what your IO read/write callback functions look like (my_EmbedReceive)? Also can you send your logs to review?

You might try using the WOLFSSL_ALT_CERT_CHAINS build option. I've noticed some FTP servers include an additional certificate not in the chain.

Thanks,
David Garske, wolfSSL

Hi David,

Here is my callback function, it is base on wolf callback function

int ftpIORecv(WOLFSSL *ssl, char *buf, int sz, void *ctx)
{
    LOCK_FTP_MUTEX
    int sd = *(int*)ctx;
    int recvd = 0;
    recvd = lwip_recv(sd, buf, sz, ssl->rflags);
    UNLOCK_FTP_MUTEX
    if (recvd < 0) {
        int err = errno;
        WOLFSSL_MSG("Embed Receive error");

        if (err == EWOULDBLOCK || err == EAGAIN) {
            WOLFSSL_MSG("\tWould block");
            return WOLFSSL_CBIO_ERR_WANT_READ;
        }
        else if (err == ECONNRESET) {
            WOLFSSL_MSG("\tConnection reset");
            return WOLFSSL_CBIO_ERR_CONN_RST;
        }
        else if (err == EINTR) {
            WOLFSSL_MSG("\tSocket interrupted");
            return WOLFSSL_CBIO_ERR_ISR;
        }
        else if (err == ECONNABORTED) {
            WOLFSSL_MSG("\tConnection aborted");
            return WOLFSSL_CBIO_ERR_CONN_CLOSE;
        }
        else {
            WOLFSSL_MSG("\tGeneral error");
            return WOLFSSL_CBIO_ERR_GENERAL;
        }
    }
    else if (recvd == 0) {
        WOLFSSL_MSG("Embed receive connection closed");
        return WOLFSSL_CBIO_ERR_CONN_CLOSE;
    }

    return recvd;
}

/* The send embedded callback
 *  return : nb bytes sent, or error
 */
int ftpIOSend(WOLFSSL* ssl, char *buf, int sz, void *ctx)
{
    LOCK_HTTP_MUTEX
    int sd = *(int*)ctx;
    int sent = -1;

#ifdef WOLFSSL_MAX_SEND_SZ
    if (sz > WOLFSSL_MAX_SEND_SZ)
        sz = WOLFSSL_MAX_SEND_SZ;
#endif
    sent = lwip_send(sd, buf, sz, ssl->wflags);
    printf("ftpIOSend %d %d\n", sd, sz);
    UNLOCK_HTTP_MUTEX
    if (sent < 0) {
        int err = errno;
        WOLFSSL_MSG("Embed Send error");

        if (err == EWOULDBLOCK || err == EAGAIN) {
            WOLFSSL_MSG("\tWould Block");
            return WOLFSSL_CBIO_ERR_WANT_WRITE;
        }
        else if (err == ECONNRESET) {
            WOLFSSL_MSG("\tConnection reset");
            return WOLFSSL_CBIO_ERR_CONN_RST;
        }
        else if (err == EINTR) {
            WOLFSSL_MSG("\tSocket interrupted");
            return WOLFSSL_CBIO_ERR_ISR;
        }
        else if (err == EPIPE) {
            WOLFSSL_MSG("\tSocket EPIPE");
            return WOLFSSL_CBIO_ERR_CONN_CLOSE;
        }
        else {
            WOLFSSL_MSG("\tGeneral error");
            return WOLFSSL_CBIO_ERR_GENERAL;
        }
    }
    return sent;
}

Btw, I somehow solved my problem by increase Ram for each thread.
Thank you very much for your reply.

dgarske wrote:

Hi windyMk92,

You might also want to use these API's to set your own IO callback context pointer. This will allow you to specify a different socket/IO context for each thread.

wolfSSL_SetIOReadCtx
wolfSSL_SetIOWriteCtx

Thanks,
David Garske, wolfSSL

Hi David,
I was using wolfSSL_set_fd instead of those API. I tried to use mutex base on this example
https://github.com/wolfSSL/wolfssl-exam … threaded.c but still face the error.

Thank you.

dgarske wrote:

Hi windyMk92,

The attachments are missing. Feel free to email support@wolfssl.com if you cannot post them here.

Is the issue specific to two concurrent threads or just when the STM32F7 is acting as the server? Are you using AES Hardware acceleration? If so have you tried disabling using NO_STM32_CRYPTO?

For multi-threading the common issues are not using mutex protection on the WOLFSSL object between threads. For the WOLFSSL_CTX you should have separate ones. Make sure the server side CTX constructor is using the wolfTLSv1_2_server_method or wolfSSLv23_server_method (to select highest available TLS version and allow downgrade).

We have some excellent TLS examples here: https://github.com/wolfSSL/wolfssl-exam … master/tls

Thanks,
David Garske, wolfSSL

Dear David,

Thank you for your quick response.
Let's me clarify my issue:
+ I'm using 2 concurrent threads H.ttps on port 443 and FTPS on port 990
+ I didn't use AES Hardware acceleration

#define NO_STM32_HASH
#define NO_STM32_CRYPTO
#define WOLFSSL_STM32F7
#define STM32_HAL_V2
#define HAL_CONSOLE_UART huart1

+ I didn't use mutex protection for my threads, so maybe it causes my problem.
+ For the WOLFSSL_CTX, yes it is separated for each thread, and I'm using wolfTLSv1_2_server_method.

void HTTPS_ServerTask(void const * args)
{
        SOCKET_T       sockfd = 0;
        WOLFSSL_METHOD* method = 0;
        WOLFSSL_CTX*    ctx    = 0;
        word16 port= 443;
        /* Let tcp_listen assign port */
        wolfTcp_listen(&sockfd, &port, 1, 0, 0);

        method = wolfTLSv1_2_server_method();

        ctx    = wolfSSL_CTX_new(method);
#ifndef USE_WOLFSSL_IO
    wolfSSL_CTX_SetIORecv(ctx, my_EmbedReceive);
    wolfSSL_CTX_SetIOSend(ctx, my_EmbedSend);
#endif
...
}

void FTPS_ServerTask(void const * args)
{
    SOCKET_T       sockfd = 0;
    WOLFSSL_METHOD* method = 0;
    WOLFSSL_CTX*    ctx    = 0;

    word16 port= 990;
    /* Let tcp_listen assign port */
    wolfTcp_listen(&sockfd, &port, 1, 0, 0);
    method = wolfTLSv1_2_server_method();

    ctx    = wolfSSL_CTX_new(method);

#ifndef USE_WOLFSSL_IO
    wolfSSL_CTX_SetIORecv(ctx, my_EmbedReceive);
    wolfSSL_CTX_SetIOSend(ctx, my_EmbedSend);
#endif
...
}

Both threads use the same functions my_EmbedReceive/my_EmbedSend.

I will try add mutex protection for my threads.
Thank you.
Sincerely.

Hi everyone,
I'm trying using wolfSSL to secure h.ttp_server and ftp server on STM32F746 board.
I using FreeRTOS and lwip to create 2 threads for h.ttp_server and ftp server. Both h.ttp_server and ftp server share a self-sign certificate. When only one thread have client connect to it (h.ttp_server or ftp client) at a time, it works fine.
When h.ttp_server server serving its client, if a ftp-client try to connect to my ftp server then an error occur, please see my files I attach below.

Please give some clues to help me solve my problems

Thanks in advance.

The error message in filezilla client
Error:    GnuTLS error -110: The TLS connection was non-properly terminated.
Status:    Server did not properly shut down TLS connection
Error:    The data connection could not be established: ECONNABORTED - Connection aborted
Error:    Connection timed out after 20 seconds of inactivity
Error:    Failed to retrieve directory listing

Hi David,

Your "sudo ldconfig" do solve my problem and yes, I was using "sudo USE_LOCAL_WOLFSSL=/usr/local pip3 install ."

Here is what I got:

Creating file ed25519.der
Creating file src/ed25519_pub_key.c
    [CC-ARM] src/ed25519_pub_key.o
    [CC-ARM] src/update_flash.o
    [CC-ARM] lib/wolfssl/wolfcrypt/src/sha256.o
    [CC-ARM] lib/wolfssl/wolfcrypt/src/sha512.o
    [CC-ARM] lib/wolfssl/wolfcrypt/src/ed25519.o
    [CC-ARM] lib/wolfssl/wolfcrypt/src/ge_low_mem.o
    [CC-ARM] lib/wolfssl/wolfcrypt/src/hash.o
    [CC-ARM] lib/wolfssl/wolfcrypt/src/wolfmath.o
    [CC-ARM] lib/wolfssl/wolfcrypt/src/fe_low_mem.o
    [LD] wolfboot.elf
    [BIN] wolfboot.bin

    [SIZE]
   text       data        bss        dec        hex    filename
  10536          0         32      10568       2948    wolfboot.elf

make[1]: Entering directory '/home/rocky92/wolfBoot/test-app'
    [CC-ARM] app_stm32f4.o
    [CC-ARM] led.o
    [CC-ARM] system.o
    [CC-ARM] timer.o
    [CC-ARM] startup_arm.o
    [LD] image.elf
    [BIN] image.bin
make[1]: Leaving directory '/home/rocky92/wolfBoot/test-app'
   text       data        bss        dec        hex    filename
   4172          4        296       4472       1178    test-app/image.elf
    [SIGN] test-app/image.bin

python3 tools/keytools/sign.py --ed25519 test-app/image.bin ed25519.der 1
Update type:          Firmware
Input image:          test-app/image.bin
Selected cipher:      ed25519
Public key:           ed25519.der
Output image:         test-app/image_v1_signed.bin
Calculating sha256 digest...
Signing the firmware...
Done.
Output image successfully created.
    [MERGE] factory.bin

Please help me clarify some questions:

1. I see some .bin files here.
    wolfboot.bin is my bootloader, isn't it. If it is, I just need to download it to the beginning of my flash?

2. I need to provided my application firmware to signing it with public key. In this case is image.bin in '/home/rocky92/wolfBoot/test-app' directory
   Can I force wolfBoot using a different directory?

3. Can I modify my public key - ed25519.der? And how?

Thank you.
Tu Nguyen

Hi David,

Thanks for you response. But I believe that I enabled --enable-ed25519.
I also followed the instructions on github and used this command:

rocky92@ubuntu:~/wolfssl$

 ./configure --enable-keygen --enable-rsa --enable-ecc --enable-ed25519 --enable-des3 CFLAGS="-DWOLFSSL_PUBLIC_MP" --enable-all

Here is what I got:

---
Configuration summary for wolfssl version 4.3.0

   * Installation prefix:        /usr/local
   * System type:                pc-linux-gnu
   * Host CPU:                   x86_64
   * C Compiler:                 gcc
   * C Flags:                    -DWOLFSSL_PUBLIC_MP   -Werror -Wno-pragmas -Wall -Wno-strict-aliasing -Wextra -Wunknown-pragmas --param=ssp-buffer-size=1 -Waddress -Warray-bounds -Wbad-function-cast -Wchar-subscripts -Wcomment -Wfloat-equal -Wformat-security -Wformat=2 -Wmaybe-uninitialized -Wmissing-field-initializers -Wmissing-noreturn -Wmissing-prototypes -Wnested-externs -Wnormalized=id -Woverride-init -Wpointer-arith -Wpointer-sign -Wredundant-decls -Wshadow -Wsign-compare -Wstrict-overflow=1 -Wswitch-enum -Wundef -Wunused -Wunused-result -Wunused-variable -Wwrite-strings -fwrapv
   * C++ Compiler:               
   * C++ Flags:                  
   * CPP Flags:                  
   * CCAS Flags:                 -DWOLFSSL_PUBLIC_MP  
   * LIB Flags:                   -pie -z relro -z now -Werror 
   * Debug enabled:              no
   * Coverage enabled:           
   * Warnings as failure:        yes
   * make -j:                    2
   * VCS checkout:               yes

   Features 
   * Single threaded:            no
   * Filesystem:                 yes
   * OpenSSH Build:              yes
   * OpenSSL Extra API:          yes
   * OpenSSL Coexist:            no
   * Old Names:                  no
   * Max Strength Build:         no
   * Distro Build:               no
   * fastmath:                   yes
   * Assembly Allowed:           yes
   * sniffer:                    no
   * snifftest:                  no
   * ARC4:                       yes
   * AES:                        yes
   * AES-NI:                     no
   * AES-CBC:                    yes
   * AES-GCM:                    yes
   * AES-CCM:                    yes
   * AES-CTR:                    yes
   * DES3:                       yes
   * IDEA:                       yes
   * Camellia:                   yes
   * NULL Cipher:                yes
   * MD5:                        yes
   * RIPEMD:                     yes
   * SHA:                        yes
   * SHA-224:                    yes
   * SHA-384:                    yes
   * SHA-512:                    yes
   * SHA3:                       yes
   * SHAKE256:                   yes
   * BLAKE2:                     no
   * CMAC:                       yes
   * keygen:                     yes
   * certgen:                    yes
   * certreq:                    yes
   * certext:                    yes
   * certgencache:               no
   * HC-128:                     yes
   * RABBIT:                     yes
   * CHACHA:                     yes
   * Hash DRBG:                  yes
   * PWDBASED:                   yes
   * scrypt:                     yes
   * wolfCrypt Only:             no
   * HKDF:                       yes
   * X9.63 KDF:                  yes
   * MD4:                        yes
   * PSK:                        yes
   * Poly1305:                   yes
   * LEANPSK:                    no
   * LEANTLS:                    no
   * RSA:                        yes
   * RSA-PSS:                    yes
   * DSA:                        yes
   * DH:                         yes
   * DH Default Parameters:      no
   * ECC:                        yes
   * ECC Custom Curves           yes
   * CURVE25519:                 yes
   * ED25519:                    yes
   * CURVE448:                   yes
   * ED448:                      no
   * FPECC:                      yes
   * ECC_ENCRYPT:                yes
   * ASN:                        yes
   * Anonymous cipher:           no
   * CODING:                     yes
   * MEMORY:                     yes
   * I/O POOL:                   no
   * LIGHTY:                     yes
   * HAPROXY:                    yes
   * STUNNEL:                    yes
   * Apache httpd:               no
   * NGINX:                      yes
   * ASIO:                       yes
   * LIBWEBSOCKETS:              yes
   * Qt                          yes
   * Qt Unit Testing             no
   * SIGNAL:                     no
   * ERROR_STRINGS:              yes
   * DTLS:                       yes
   * SCTP:                       no
   * Indefinite Length:          yes
   * Multicast:                  no
   * Old TLS Versions:           yes
   * SSL version 3.0:            yes
   * TLS v1.0:                   no
   * TLS v1.3:                   yes
   * TLS v1.3 Draft 18:          no
   * TLS v1.3 Draft 22:          no
   * TLS v1.3 Draft 23:          no
   * TLS v1.3 Draft 26:          no
   * TLS v1.3 Draft 28:          no
   * Post-handshake Auth:        no
   * Early Data:                 no
   * Send State in HRR Cookie:   no
   * OCSP:                       yes
   * OCSP Stapling:              yes
   * OCSP Stapling v2:           yes
   * CRL:                        yes
   * CRL-MONITOR:                yes
   * Persistent session cache:   yes
   * Persistent cert    cache:   yes
   * Atomic User Record Layer:   yes
   * Public Key Callbacks:       yes
   * NTRU:                       no
   * QSH:                        no
   * Whitewood netRandom:        no
   * Server Name Indication:     yes
   * ALPN:                       yes
   * Maximum Fragment Length:    yes
   * Trusted CA Indication:      yes
   * Truncated HMAC:             yes
   * Supported Elliptic Curves:  yes
   * FFDHE only in client:       no
   * Session Ticket:             yes
   * Extended Master Secret:     yes
   * Renegotiation Indication:   no
   * Secure Renegotiation:       no
   * Fallback SCSV:              no
   * All TLS Extensions:         yes
   * PKCS#7                      yes
   * wolfSSH                     yes
   * wolfSCEP                    yes
   * Secure Remote Password      yes
   * Small Stack:                no
   * valgrind unit tests:        no
   * LIBZ:                       no
   * Examples:                   yes
   * User Crypto:                no
   * Fast RSA:                   no
   * Single Precision:           no
   * Async Crypto:               no
   * PKCS#11:                    no
   * PKCS#12:                    yes
   * Cavium Nitox:               no
   * Cavium Octeon (Sync):       no
   * Intel Quick Assist:         no
   * ARM ASM:                    no
   * AES Key Wrap:               yes
   * Write duplicate:            no
   * Xilinx Hardware Acc.:       no
   * Inline Code:                yes
   * Linux AF_ALG:               no
   * Linux devcrypto:            no
   * Crypto callbacks:           no


I think I followed all the steps in the instructions for setting the Python signing tool.
https://github.com/wolfSSL/wolfBoot/blo … ll-python3


As far as I understand from following the instructions:
1. Install Python3
2. Install Wolfssl
3. Install wolfcrypt-py (need to be build inside wolfssl, using cd wolfssl to locate the directory)
4. Install wolfBoot
    using make to build the bootloader
5. Implement wolfBoot library into my firmware, then signing it

Am I right?
Thanks a lot.

Hi everyone,

I'm new to this wonderful wolfBoot. I'm very keen on using this with my new project on STM32F7. But every time I tried to build it on window, some weird error occurred. To be honest i'm not so familiar with using Cygwin/Msys2 to build library on window OS.
Last time I tried build it on Ubuntu, everything seem to be good until an error appear:

Traceback (most recent call last):
  File "tools/keytools/keygen.py", line 25, in <module>
    from wolfcrypt import ciphers
  File "/usr/local/lib/python3.6/dist-packages/wolfcrypt/ciphers.py", line 23, in <module>
    from wolfcrypt._ffi import ffi as _ffi
ImportError: libwolfssl.so.24: cannot open shared object file: No such file or directory
Makefile:220: recipe for target 'ed25519.der' failed
make: *** [ed25519.der] Error 1

Ofcourse, it's my mistake. But could you, anyone, please guide me step by step how to build/ make this bootloader on window/ ubuntu OS.
Thank in advance.