You are not logged in. Please login or register.
Please post questions or comments you have about wolfSSL products here. It is helpful to be as descriptive as possible when asking your questions.
ReferenceswolfSSL - Embedded SSL Library → Posts by kareem_wolfssl
Hi tjko,
Great question. We currently have only implemented userAuthResultCb for the public key case. So what you're seeing is expected behavior in the current version of wolfSSH.
Is calling this function in the password case a requirement for your use case?
Are you able to share any information about your project? Are you working on a personal or commercial project? If this information is sensitive, feel free to email us at support [AT] wolfssl [DOT] com.
Thanks,
Kareem
5.7.4 is outdated, please try upgrading to 5.8.0 and let me know if it helps.
Here is a full code sample which should work:
int main(void) {
int i;
int j;
byte input[] = {255};
byte hash[48];
wc_Sha384 sha384;
for (j = 0; j < 10; j++) {
wc_InitSha384(&sha384);
wc_Sha384Update(&sha384, input, sizeof(input));
wc_Sha384Final(&sha384, hash);
printf("Buffer: \n");
for (i = 0; i < 48; i++)
printf("%02x ", hash[i]);
printf("\n");
}
return 0;
}And just to confirm you are calling wc_InitSha384 after each wc_Sha384Update + wc_Sha384Final, correct?
I'm also assuming the sizeof(data) here is actually sizeof(input): wc_Sha384Update(&sha384, input, sizeof(data));
Are you using any kind of hardware acceleration for SHA384? Can you share your version and build settings?
Hi Bryce,
Thanks for the followup. Looks like you are initializing a different variable "sha" here: wc_InitSha384(&sha);
sha384 must be initialized before you can use it, please try replacing this line with: wc_InitSha384(&sha384);
Thanks,
Kareem
Hi Bryce,
That is strange, I would definitely expect the same input to create the same output from SHA384. Please share your code.
We don't have a SHA384 example but we do have a SHA512 example, does your code follow the same general flow? https://github.com/wolfSSL/wolfssl-exam … 512-hash.c
Thanks,
Kareem
Hello matemagico13,
Thank you for your interest in wolfSSL. May I ask if you're working on a personal or commercial project? Are you able to tell us more about your project? If this information is sensitive, please contact us at support [AT] wolfssl [DOT] com.
Error 127 means command not found, this can mean that your toolchain is unable to find the executable or that it is not marked as executable. It looks like in this case it is trying to execute the static library directly, which is not valid.
I do see that you've commented out $(SIZE) in the build_static rule, can you elaborate on why you've done this? Does it work if you uncomment this?
Thanks,
Kareem
Hello Ahmed,
Thanks for sharing your use case.
You will need to create and use a user_settings.h file to build wolfSSL, defining wolfSSL settings in your preprocessor won't work properly for building wolfSSL and linking it to your application.
You'll need to create a project for wolfSSL, define your desired settings in user_settings.h and build it there, then you can link it to your application.
Thanks,
Kareem
Hello Ahmed,
You will need to make a project for wolfSSL in your IDE, build it, then link it with your application. We have some IDE examples here but we don't currently have any for NXP Design Studio: https://github.com/wolfSSL/wolfssl/tree/master/IDE We do have an MCUEXPRESSO example for NXP.
To configure wolfSSL, you'll need to place a user_settings.h file with your build settings in the root of the wolfSSL directory, then built with WOLFSSL_USER_SETTINGS defined. I would recommend referring to our examples here, specifically user_settings_template.h: https://github.com/wolfSSL/wolfssl/tree … es/configs
You may also find the "Building wolfSSL" section of our manual helpful: https://www.wolfssl.com/documentation/m … ter02.html
For our OpenSSL compatibility layer, you'll need to define OPENSSL_EXTRA in your user_settings.h, if you need more APIs which are not covered in extra you can also define OPENSSL_ALL, but this is a more resource-intensive operation.
Can you share some information on your project? Are you working on a personal or commercial project? If this information is private, you are welcome to email us at support [AT] wolfssl [DOT] com.
Thanks,
Kareem
Hi Grant,
Thanks for the report. Please try the patch below and let me know if it helps, my colleague has reproduced your issue on his STM32 and has confirmed that this patch fixes the issue for him:
From 645da3317636d2bf4d1b35059f6cb6fc35c60812 Mon Sep 17 00:00:00 2001
From: Kareem <kareem@wolfssl.com>
Date: Thu, 17 Apr 2025 14:33:44 -0700
Subject: [PATCH] Fix unused function warning for wc_AesDecrypt when building
with STM32. This function is not needed for AES-CCM, as the AES-CCM decrypt
function only calls wc_AesEncrypt.
---
wolfcrypt/src/aes.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/wolfcrypt/src/aes.c b/wolfcrypt/src/aes.c
index 86e7be9dc9..6e7f104dd4 100644
--- a/wolfcrypt/src/aes.c
+++ b/wolfcrypt/src/aes.c
@@ -233,7 +233,7 @@ block cipher mechanism that uses n-bit binary string parameter key with 128-bits
#endif /* WOLFSSL_AES_DIRECT || HAVE_AESGCM || HAVE_AESCCM */
#ifdef HAVE_AES_DECRYPT
- #if defined(WOLFSSL_AES_DIRECT) || defined(HAVE_AESCCM)
+ #if defined(WOLFSSL_AES_DIRECT)
static WARN_UNUSED_RESULT int wc_AesDecrypt(
Aes* aes, const byte* inBlock, byte* outBlock)
{
@@ -340,7 +340,7 @@ block cipher mechanism that uses n-bit binary string parameter key with 128-bits
return ret;
}
- #endif /* WOLFSSL_AES_DIRECT || HAVE_AESCCM */
+ #endif /* WOLFSSL_AES_DIRECT */
#endif /* HAVE_AES_DECRYPT */
#elif defined(HAVE_COLDFIRE_SEC)Thanks,
Kareem
Hi fenster,
Great question. Our wolfssl-py repo includes a client and server example, they both support DTLS using the -u argument. I would recommend using them as a reference: https://github.com/wolfSSL/wolfssl-py/t … r/examples
Thanks,
Kareem
Hi bkeller02,
Thanks for the followup. Please try running nm on the output library, for example /usr/local/lib/libwolfssl.a.
If you still see wc_ChaCha20Poly1305_Decrypt in the output, try running "ldd" on your application and confirm that it is pointing to the correct wolfSSL library. If you have a system wolfSSL package installed, try uninstalling it.
Thanks,
Kareem
Hi bkeller02,
I expect the function wc_ChaCha20Poly1305_Decrypt to be available with the defines HAVE_CHACHA and HAVE_POLY1305, there are no additional requirements for this function as of 5.7.6. Just to be sure, can you try replacing these flags with --enable-chacha --enable-poly1305 and let me know if it helps?
If not, please confirm what version of wolfSSL you're using. Please also try running
nm -g --defined-onlyon your wolfSSL library and confirm whether you see wc_ChaCha20Poly1305_Decrypt in the output.
Thanks,
Kareem
Hi Mohammed,
Thank you for the followup. As you are working on a commercial project, please forward your issue to support [AT] wolfssl [DOT] com.
Thanks,
Kareem
Hi Mohammed,
As the site you are connecting to is hosted by a CDN, you will most likely need to enable SNI to connect: https://www.wolfssl.com/documentation/m … ssl_usesni
If this doesn't help you can also try enabling alt cert chains via: --enable-altcertchains
Can you share a bit about your project with wolfSSL? Are you using wolfSSL in a personal or commercial project? If these details are sensitive, please contact us at support [AT] wolfssl [DOT] com.
Thanks,
Kareem
Hello da,
We can look into adding a manual reset for the alert count, we will need to open a feature request for this. Please email us at support [AT] wolfssl [DOT] com to set this up.
Thanks,
Kareem
Hi fenster,
To start with, build wolfSSL with --enable-distro and any other features you wish to enable, then run "make deb", this will generate an installable Debian package. You can alternatively run "make deb-docker" to perform this build inside of a docker container.
We don't currently support building a Debian package from wolfssl-py, only a PIP package which you'll find the instructions for here: https://github.com/wolfSSL/wolfssl-py
If you'd like us to add support for this, I can help you set up a feature request, please email us at support [AT] wolfssl [DOT] com.
Thanks,
Kareem
Hello da,
Great question. You can define the macro WOLFSSL_ALERT_COUNT_MAX to the max number of alerts you want to accept before throwing an error, so if you truly want to ignore alerts you can: #define WOLFSSL_ALERT_COUNT_MAX 9999
We do not reset the alert count in the code anywhere so this will eventually get tripped if enough alerts are accumulated. The count is not reset until the WOLFSSL struct is freed.
I would recommend finding a way to fix the errors leading to alerts rather than ignoring/suppressing them.
Can you share some information about your project? Are you working on a personal or commercial project? Feel free to email us at support [AT] wolfssl [DOT] com if this information is sensitive.
Thanks,
Kareem
Hi Sadanand,
Great question. So we don't have a define called HAVE_AESCCM_8, and you don't need any extra defines. The exact same build settings are used to enable TLS_AES_128_CCM_SHA256 and TLS_AES_128_CCM_8_SHA256.
If I'm understanding right, your connection is closing after a few seconds, is that correct? If so, are you confident your server supports the cipher suite TLS_AES_128_CCM_8_SHA256?
Please share your user_settings.h and generate and share a full debug log. To generate a debug log, build with --enable-debug --enable-debug-trace-errcodes and run wolfSSL_Debugging_ON() at the start of your program.
Please share some information about your project. Are you working on a personal or commercial project?
Feel free to email us at support [AT] wolfssl [DOT] com if any of this information is sensitive.
Thanks,
Kareem
wolfSSL will attempt to include stdarg.h if OPENSSL_EXTRA is defined, you'll need to remove this define if you don't have this header available on your system.
Hi Nilesh,
Great question. So the client only needs to store/know about the root CA, to load this use wolfSSL_CTX_load_verify_buffer. The server will load the intermediate certs and the server certs, you can use wolfSSL_CTX_use_certificate_chain_buffer for this.
During the connection, the server will send over its cert and all intermediates, then the client will verify that the chain is verified against the root CA it has loaded.
Hi Nilesh,
I am happy to help. So if I'm understanding right, you want to be able to update your certificate buffer without recompiling your application. In this case we would recommend setting aside a section of flash for your certificate, and pointing your cert buffer to this address. Then you can update your certificate by replacing this section rather than recompiling your entire application.
We don't support automatically generating certificates as described. If you would like us to add support for this, we would need to set up a feature request, please contact us at support [AT] wolfssl [DOT] com to set this up.
Thanks,
Kareem
This define will go in your user_settings.h, you can find more information on and some examples of user_settings here: https://github.com/wolfSSL/wolfssl/tree … es/configs
I would recommend starting with user_settings_template.h and adjusting it to your use case.
Hi Nilesh,
Great question. Security wise, you are better off generating a new CA certificate with a lower expiration date like 1 year vs a longer expiration date like 20 years.
Around the 1 year mark when your certificate is about to expire, you will want to generate a new certificate for the server, we have some examples of how to do this with wolfSSL here: https://github.com/wolfSSL/wolfssl-exam … er/certgen
On the client side, you will need to load the newly generated CA certificate instead of the old one, since you are using a static buffer in code you'd need to update this buffer and rebuild your code. If your device supports a filesystem, you could point wolfSSL to a file which you'd replace when the cert expires.
May I ask if you are using wolfSSL in a personal or commercial project? Feel free to email us at support [AT] wolfssl [DOT] com if this information is sensitive.
Thanks,
Kareem
Hi Bryce,
Thank you for your interest in wolfSSL and great question. For Integrity OS, you will need to define __INTEGRITY or INTEGRITY, this define should be set by default by your toolchain.
We have various IDE example projects here which you may find helpful: https://github.com/wolfSSL/wolfssl/tree/master/IDE
May I ask what kind of project you are using wolfSSL in and whether it is personal or commercial? You are welcome to email us at support [AT] wolfssl [DOT] com if these details are sensitive.
Thanks,
Kareem
Hi OilProducts,
What version of wolfSSL are you using and which compiler are you using on OS X? What version is your OS X compiler/toolchain? If you aren't using our latest release 5.7.6, please give it a try and let me know if it helps.
Thanks,
Kareem
wolfSSL - Embedded SSL Library → Posts by kareem_wolfssl
Powered by PunBB, supported by Informer Technologies, Inc.
Generated in 0.009 seconds (67% PHP - 33% DB) with 4 queries