You are not logged in. Please login or register.
Please post questions or comments you have about wolfSSL products here. It is helpful to be as descriptive as possible when asking your questions.
ReferenceswolfSSL - Embedded SSL Library → Posts by john
Are you using configure to set up your build first? Did you try:
./configure C_EXTRA_FLAGS=-DCYASSL_AES_DIRECT
make
./ctaocrypt/test/testctaocryptOne other question, why are you using such an old copy of CyaSSL embedded SSL? v2.8.0 is from late 2013. I'd recommend upgrading to the current version of wolfSSL. (We changed the name of the library recently. Same code, different name.)
Sorry about the delay in responding. That's a good suggestion. Please see commit fe303c97 in our GitHub repository.
I'm glad to see you found a work-around for the problem. I have a colleague looking into this right now as well. We will investigate a more permanent solution for this.
Thanks!
On your platform, we're depending on the compiler to make the 64-bit data operations work using its 32-bit registers/math. I'm wondering if it is messing up. I made a little test application that did a couple rotations on my Mac.
#include "wolfssl/wolfcrypt/types.h"
#include "wolfcrypt/src/misc.c"
#include <stdio.h>
int main(void)
{
word64 test;
test = 1;
printf("test = %lu\n", test);
test = rotlFixed64(test, 33);
printf("test = %lX\n", test);
test = 1;
printf("test = %lu\n", test);
test = rotrFixed64(test, 5);
printf("test = %lX\n", test);
}The output was:
test = 1
test = 200000000
test = 1
test = 800000000000000Can you try it out, or something like it, on your device?
ECDSA uses a random number as part of the signature process. If you call ecc_sign_hash() multiple times with the same data, you will get a different signature every time. But, all the signatures will verify correctly with ecc_verify_hash(). Do they provide the secret number in a PEM or DER wrapper?
Are you sure you really want to do that? That's what got a large video game console manufacturer in trouble.
Are you setting USE_SLOW_SHA2 or CTAOCRYPT_SLOW_WORD64?
Tangent: It looks like you included "misc.c" in your project. With the way your build is configured, that file is included in the other files that needs it. There is an option to compile it on its own, but you aren't using that, and it is a little faster to not do that. And all the warnings in internal.c shouldn't be there; we added the parens around the assignments that is supposed to hush those warnings.
re 19:
I think you are showing the LS 32-bits of the buffer words. Right before the Transform384 in Sha384Final using the data "abc", I get
(lldb) p/x sha384->buffer
(word64 [16]) $18 = {
[0] = 0x6162638000000000
[1] = 0x0000000000000000
[2] = 0x0000000000000000
[3] = 0x0000000000000000
[4] = 0x0000000000000000
[5] = 0x0000000000000000
[6] = 0x0000000000000000
[7] = 0x0000000000000000
[8] = 0x0000000000000000
[9] = 0x0000000000000000
[10] = 0x0000000000000000
[11] = 0x0000000000000000
[12] = 0x0000000000000000
[13] = 0x0000000000000000
[14] = 0x0000000000000000
[15] = 0x0000000000000018This looks like "Chunk" 0 in the example you gave me from that external site. (I'm running on OS X.)
In 20, when you say iteration 3, are you talking about the loop in Transform384? (So, technically iteration 48, since that loop is doing 16 iterations at a time?)
Since your compiler is trying to do 64-bit stuff with a 32-bit compiler, maybe it is tripping up on not rotating something enough, or truncating a 64-value at 32-bits in the wrong spot.
I don't think it is accessing outside the tables with negative array indices because they are masked to 3 or 4 bits. (unless there are shenanigans regarding the types of the bare numbers.) And there shouldn't be any assumptions made about locals being initialized, beyond they aren't.
Which version of wolfSSL are you using right now and did you download it from our website?
Could you try
#define CTAOCRYPT_SLOW_WORD64Is your compiler throwing any warnings during the build of wolfSSL?
OK. I see what's going on here. When running the wolfSSL client connecting to that server, you only need to add the root CA, AddTrustExternalRootCA. The server is sending its certificate, and the signing chain, including a copy of the AddTrust. When processing the Certificate message, wolfSSL ends up ignoring the AddTrust certificate and then checking the next certificate, COMODO RSA Certification Authority. That one is successfully verified and added to the CA pool. The next certificate, COMODO RSA Domain Validation Secure Server CA, is checked and is rejected because the signature fails.
This happens because by default wolfSSL is using fast math which uses preallocated buffers for the big integers, and the size defaults to 4096 to allow for the 2048x2048 bit multiply needed for RSA. The certificate COMODO RSA Certification Authority has a 4096-bit key, so the following RSA signature check fails.
I configured my local wolfSSL build to set FP_MAX_BITS=8192 which will allow for the 4096x4096 bit multiply. (Actually, first I used non-fastmath, then fastmath with with the bigger max bits.) The connection succeeded.
This doesn't answer why the SHA-384 and SHA-512 hash tests fail for you since those are known-answer tests that don't involve RSA or the big integer math. (I'll follow up on that later.)
For places to print out data, you could add prints of the digest at the end of Sha384Update() and run it both on your device and on the desktop and see when they start to differ.
On the signer error, I found this link. They are trying to get the right signer certs together in a chain file using the Comodor cert chain.
The order for the cat command should be:
$ cat ComodorRSADomainValidSecureServerCA ComodorRSACertAuth AddTrustCert > cert.pemThe peer certificate is signed by ComodorRSADomainValidSecureServerCA, which is signed by ComodorRSACertAuth, which is signed by AddTrustCert, which signs itself.
On the hash problem, if you take out the CYASSL_SHA384 does the SHA-512 test case succeed?
Is your device big-endian or little-endian?
For the "client" command you can only include one certificate with the "-A" option. The command line option processor saves the file name and loads the file later, so only the last file name is saved. If you
cat AddTrustCert ComodorRSACertAuth ComodorRSADomainValidSecureServerCA > combo.pemand then -A combo.pem, all three will be loaded. (This assumes the certificates are in PEM format. We can't load DER certificates concatenated together.)
Back to the SHA-384 issue. Do you have 64-bit data types available on your platform? Could you do a
printf("sizeof(long long) = %u\n", sizeof(long long));The SHA-384/512 uses type word64 (unsigned long long) in the internal state. And you deleted the "NO_SHA512" from the MBED settings? You are using the MBED block in settings.h with "#define CYASSL_MBED" uncommented? Setting SIZEOF_LONG_LONG to 8 should be enabling the typedef for word64 in types.h.
Also, have you run the ctaocrypt test on your target board? It does some known answer tests for all the ciphers and hashes you have enabled.
For SHA-384, you have to add the following to your settings.
#define CYASSL_SHA512
#define CYASSL_SHA384Can you connect to the server using our example command line client using only your root CA? (For example, connecting to google.com with the GeoTrust Global CA certificate.)
When the client receives the Certificate message, it should be checking all the certificates in order from last to first. The last one is signed by the root CA, and the first is the peer's certificate. Each one is loaded into the certificate manager and used to verify the next certificate.
Which platform are you running on? Are you using the configure script to set up the build, or is it through an IDE of some kind?
You're welcome.
To answer your questions:
Do you know what the times between CyaSSL handshake messages are?
At this point, it seems like the issue is caused by a timeout either server-side or radio-side.
It seems like the library shouldn't be causing timeout issues with it being less than a second or two to run various code segments between outputting data to the server?
It all depends on how fast your hardware is and what cipher suites you are using. The public key cryptography is slow. On a desktop PC you'd probably never see any kind of delay, but on an embedded device the RSA operation could take hundreds of milliseconds. The point in the handshake where your device was timing out was after the public key operations. I don't think Google is timing out; I added in a 3 second delay right before my client sends its Change Cipher Spec message and Google still finished the handshake.
There isn't a timeout on the handshake. If the socket closes then we'll get an error from the recv() and tear down the session.
Is it possible that the google.com server is requesting a certificate to distinguish between clients that connect to it?
Public web servers are commonly configured to use anonymous clients without their own certificates. The server would send a Certificate Request handshake message to the client in the non-anonymous case, and from your logs there wasn't any evidence of Google doing that.
Is there a way to tell the library to use a timeout on connections for trying to read the next record from the server? If so, where/how is it set?
This would be accomplished by setting a timeout on the socket, or using non-blocking sockets and calling select() on the socket. Or using custom I/O routines with CyaSSL (wolfSSL).
I'm going to try to pull more debug values from the client at various points of interest in the code, but I'm not sure what to be looking for/at.
Is there any code difference between connecting to say google.com versus wikipedia.org?
The library works consistently on certain websites and doesn't work consistently on the google.com and yahoo.com domains.
I would expect the code operates the same way for the SSL code regardless of which website it connects to, which would beg the question of what is different about the named websites that would cause a handshake failure, whereas the other websites are connecting just fine.
There shouldn't be any differences between connecting to any site. Except for the CA certificate you are loading to verify the server's certificate. Google, Wikipedia, and Yahoo! are all using different certificate issuers. Google is signed by GeoTrust, Wikipedia is signed by GlobalSign, and Yahoo! is signed by VeriSign.
Since I'm on a Mac, I get those certificates out of my KeyChain application. I save them and then covert them to PEM format, and concatenate them into a single file. With the wolfSSL client, I use the -A option to load that file.
The record layer headers are all fine up until the client sends a ClientKeyExchange message, after which the next record layer header received from the server is: 0D,0A,4E,4F,20
That's not a record layer header from the server. That's the string "<CR><LF>NO<SPACE>". Is that part of the over-the-air protocol you are tunneling the SSL through? Is the rest of the line "CARRIER" or something? Or maybe it is your option D.
As for option B, the server should be sending a clear "Change Cipher Spec" message, followed by an encrypted Finished handshake message. For all TLS records, the record header is in the clear.
The wolfssl.sln VS solution wraps the wolfSSL (now wolfSSL) library, and the projects for our example server, client, echoserver, and echoclient, and some of our test tools. The solution builds the wolfSSL library and includes it into the other sub-projects automatically.
Attached is a screen capture of the solution browser on VS Express 2012. I opened the wolfssl.sln solution and it upgraded it from 2008 to 2012, but the layout is still the same. When I'm doing some testing, I'll build the server or client, and VS builds the library dependency first, and then the server, and handles the linking for me. If I were to open the disclosure on the Source Files under the "wolfssl" solution, the library sources would show up.
When you got the 10/78, were you printing out the version numbers from inside the DoFinished() function or were you looking at them in the data stream?
Have you tried the connection using the example client from the command line?
Which "method" function are you using to make your CyaSSL_CTX object?
I can connect to Google with our example client using SSLv3 (0), TLSv1.0 (1), TLSv1.1 (2), and TLSv1.2 (3):
% ./examples/client/client -g -h www.google.com -p 443 -A equifax-for-google.pem -v 0
% ./examples/client/client -g -h www.google.com -p 443 -A equifax-for-google.pem -v 1
% ./examples/client/client -g -h www.google.com -p 443 -A equifax-for-google.pem -v 2
% ./examples/client/client -g -h www.google.com -p 443 -A equifax-for-google.pem -v 3And I get the 404 response for each of those, decoded.
Could you capture the network traffic for the connection attempt using Wireshark?
I don't have a good answer without guessing.
Your curl is probably building against OpenSSL. The TLS spec says to have in the chain the certificate, and all signers, in order, up to the CA certificate which should be already loaded. (See RFC5246 §7.4.2.) wolfSSL copies the certificates into an array in order, and then processes the certificates starting with the last one back up to the peer's certificate. We try to process them all. It looks like they are ignoring the extra certificates.
TL;DR: You need to rebuild wolfSSL with MAX_CHAIN_DEPTH set to 12. Given your server's certificate chain, you need to load as CA certificates both the "GeoTrust Global CA" and VeriSign's "Class 3 Public Primary Certification Authority", not the Equinox certificate. And your server's certificate chain has a certificate named "Axeda Systems CA" which is expired.
I'm curious about the "Certificate Policy extension not supported yet." line close to the end of the trace. This seems to be caused by the function DecodeAuthInfo(), which has a comment stating "Only supporting URIs right now." I see this function failing (with the corresponding log message) a few times in the trace, but the rest of the time it seems to be succeeding. Can you shed some light on this? Specifically, is this the cause of our problem or just a side effect?
Red herring. The function DecodeAuthInfo() is parsing the Authority Info Access extension which lists things like OCSP servers. We only parse out the URL for an OCSP lookup. The Certificate Policy extension string you are seeing is output by the function DecodeCertExtensions() when it sees the Certificate Policy extension. There is a SEP profile that uses that extension to put IDs for devices in it. Normally we ignore the extension.
When processing the peer’s certificate chain provided in the Certificate handshake message, we only process up to MAX_CHAIN_DEPTH certificates from the peer; by default that constant is set to 9. The cert chain is:
0: peer cert from Axeda Hosting, signed by GeoTrust SSL CA
1: VeriSign Trust Network, signed by Verisign’s Class 3 Public Primary CA
2: Axeda System CA, self signed
3 to 10: A bunch of VeriSign certificates
11: GeoTrust SSL CA, signed by GeoTrust Global CA
Certificate 11’s Authority Key Identifier is C0:7A:98:68:... which matches the GeoTrust Global CA’s Subject Key ID, not the Equifax certificate you are using as your CA.
When I use our example client to connect to your server with the command
% ./examples/client/client -p 443 -g -h nucleus-connect.axeda.comI get error -368, Maximum Chain Depth Exceeded. I changed MAX_CHAIN_DEPTH to 12 and get error -188, No Signer. Then I use the GeoTrust Global CA,
% ./examples/client/client -p 443 -g -h nucleus-connect.axeda.com -A GeoTrustGlobalCA.pemAnd I also got error -188, No Signer. That was because all the unused VeriSign certificates needed a CA as well. I grabbed VeriSign's “Class 3 Public Primary Certification Authority” certificate from my keychain and appended it to my local copy of the GeoTrust CA in a file called certs.pem. So,
% ./examples/client/client -p 443 -g -h nucleus-connect.axeda.com -A certs.pemI get error -151, ASN Date Error, Current Date After. One of the certs in the chain has an expired certificate. It looks like certificate 2, "CN=Axeda Systems CA" expired on Jan 7, 2013.
I hope that helps.
What are you trying to do? Are you trying to encrypt your own data with the cipher or do you want to use an AES-GCM cipher suite with TLS/SSL?
wolfSSL - Embedded SSL Library → Posts by john
Powered by PunBB, supported by Informer Technologies, Inc.
Generated in 0.019 seconds (88% PHP - 12% DB) with 5 queries