Hi albmont99,

If you only need to debug a memory issue, I recommend using our memory debug features instead.
To activate this, build with the following flags: USE_WOLFSSL_MEMORY WOLFSSL_TRACK_MEMORY WOLFSSL_DEBUG_MEMORY WOLFSSL_DEBUG_MEMORY_PRINT  You can find more information about this feature in wolfcrypt/src/memory.c.

Thanks,
Kareem

2

(2 replies, posted in wolfCrypt)

Hi m_u_h,

You can call wolfCrypt_GetStatus_fips to get the current FIPS POST status, if it returns 0, POST was successful, non-zero means there was an error.
Yes, you can call wolfCrypt_IntegrityTest_fips to manually trigger a POST.

Thanks,
Kareem

Hi albmont999,

Looks like you are using static memory, are you confident you need this feature for your platform?
If so, check out our static memory guide here for more information on how to set this up correctly: https://docs.google.com/document/d/1nST … k7gp4/edit

Thanks,
Kareem

Yes, please try updating to 5.5.3.
wpa_supplicant requires multiple build flags which you can find in configure.ac: https://github.com/wolfSSL/wolfssl/blob … e.ac#L1669
You will need to define all of them.  The main flag is WOLFSSL_WPAS.

Hi Himanshu,

Are you using the latest wolfSSL release, 5.5.3?  If not, please retry with 5.5.3.
If so, are you building wolfSSL with --enable-wpas?  Please attach your build config.
One special note with FIPS is it requires a minimum password size of 14 bytes (ie. 14 characters) due to the FIPS standard, shorter passwords will not work.

Thanks,
Kareem

6

(6 replies, posted in wolfSSL (formerly CyaSSL))

Hi Danny,

-188 is ASN_NO_SIGNER_E, this means we were not able to find a CA signer for your peer's certificate.
Are you registering CA certificates before connecting?  You can register CA certs using a _verify API such as wolfSSL_CTX_load_verify_buffer.  Are you confident your CA certificates include your peer's certificate?

Thanks,
Kareem

7

(6 replies, posted in wolfSSL (formerly CyaSSL))

Hi Danny,

-155 is ASN_SIG_CONFIRM_E, it means we were unable to confirm your certificate's signature.  Are you confident your peer's certificate is valid?  Are you registering CA certificates before trying to connect?  Can you provide your build settings? (user_settings.h or ./configure line)
Please also confirm you are using our latest wolfSSL release, 5.5.3.

Thanks,
Kareem

8

(3 replies, posted in wolfCrypt)

Hi swaroopk,

Did you install your distro's wolfSSL, or did you build it yourself?  If you built it yourself, please attach your build settings (user_settings.h or ./configure line).
It looks like you're missing SHA support (ie. --disable-sha or NO_SHA), please confirm SHA is enabled.  Please also confirm you're using the latest wolfSSL release, 5.5.3.

Hi sc4l7dpz,

I would recommend using our XCODE project found here: https://github.com/wolfSSL/wolfssl/tree … /IDE/XCODE

Let me know if you continue to run into issues with it.

Thanks,
Kareem

10

(5 replies, posted in wolfCrypt)

Is your FIPS hash unstable?  Is it changing after you change it in fips_test.c and rebuild?
If so, make sure you are linking wolfCrypt FIPS in the right order, see our linker script here for an example: https://github.com/wolfSSL/wolfssl/blob … er_fips.ld  Specifically, wolfcrypt_first.o needs to come first, then the FIPS objects, and lastly wolfcrypt_last.o.

11

(5 replies, posted in wolfCrypt)

Hi karikjame2021,

In addition to the above, you will need to register a FIPS hash callback in your application.  See below for how to register this.  Note that our test suite already has its own FIPS hash callback.

#ifdef HAVE_FIPS
    wolfCrypt_SetCb_fips(myFipsCb);
#endif
#ifdef HAVE_FIPS
    #include <wolfssl/wolfcrypt/fips_test.h>

    static void myFipsCb(int ok, int err, const char* hash)
    {
        printf("in my Fips callback, ok = %d, err = %d\n", ok, err);
        printf("message = %s\n", wc_GetErrorString(err));
        printf("hash = %s\n", hash);

        if (err == IN_CORE_FIPS_E) {
            printf("In core integrity hash check failure, copy above hash\n");
            printf("into verifyCore[] in fips_test.c and rebuild\n");
        }
    }
#endif

May I ask where you are located, and if this is for a commercial project?  Feel free to reach out to us at support [AT] wolfssl [DOT] com if this is sensitive information.

Thanks,
Kareem

12

(5 replies, posted in wolfCrypt)

Hi karikjame2021,

This is most likely caused by an outdated FIPS hash, you will need to update your FIPS hash and rebuild.  The easiest way to do this is to run the script "fips-hash.sh" in the root of your wolfSSL directory.
You will need to register our FIPS seed callback in your application with the following code:

#ifdef WC_RNG_SEED_CB
 wc_SetSeed_Cb(wc_GenerateSeed);
#endif

Thanks,
Kareem

13

(2 replies, posted in wolfSSL (formerly CyaSSL))

Please confirm which build options you are using and that you're on our latest release (5.5.0) or master.

Try adding the options from this configure line and let me know if it helps: ./configure --enable-certgen --enable-asn=template CFLAGS="-DWOLFSSL_CUSTOM_OID -DHAVE_OID_ENCODING"

14

(10 replies, posted in wolfSSL (formerly CyaSSL))

Hello,

Your ECC key is using a Koblitz curve which we do not enable support for by default.
Please add --enable-ecccustcurves=all to your configure line, rebuild wolfSSL and let me know if you still see any issues.

Thanks,
Kareem

Hello Messias,

You will need to use our custom OID support to mark extensions as critical/non-critical.
Check out our example here: https://github.com/wolfSSL/wolfssl-exam … ns-example
https://github.com/wolfSSL/wolfssl-exam … stom_ext.c
The second parameter of wc_SetCustomExtension specifies whether the extension is marked as critical or not.

Thanks,
Kareem

Hello,

-308 is a socket error, to get more information on what is causing this error, you can enable debug logging by defining DEBUG_WOLFSSL and running wolfSSL_Debugging_ON() at the beginning of your code.
Make sure you are using our latest release, 5.4.0.

Thanks,
Kareem

Hi Jun Li,

We do have different behavior than OpenSSL by default with cert chains, to use OpenSSL's behavior you can build wolfSSL with WOLFSSL_ALT_CERT_CHAINS.  Let me know if you still have any issues with alt cert chains defined.

Thanks,
Kareem

18

(10 replies, posted in wolfSSL (formerly CyaSSL))

Happy to help.

What error code is wolfSSL_PEM_read_PrivateKey returning?  Can you provide the private key you are trying to load, and the code you are using?  Feel free to email us at support [AT] wolfssl [DOT] com if this is sensitive info.

Thanks,
Kareem

19

(10 replies, posted in wolfSSL (formerly CyaSSL))

Happy to help.

For wolfSSL_EC_KEY_dup, you'll need OpenSSL all enabled as well, so you'll need to add --enable-opensslall to your ./configure line.
wolfSSL_EC_POINT_is_on_curve requires USE_ECC_B_PARAM.  Add CFLAGS='-DUSE_ECC_B_PARAM' to your configure line.

We don't currently support EC_GROUP_get0_generator or PEM_write_PrivateKey.  You will need to replace these functions, or send a request to support AT wolfssl DOT com if you'd like to see these added to our compatibility layer.
I also wanted to note we provide wolfEngine, for full OpenSSL compatibility: https://github.com/wolfSSL/wolfEngine  But we do recommend using our OpenSSL compatibility layer when possible.

Hi Chris,

We do not support doing this at runtime.  Are you able to remove the undesired certificates from your chain before passing it to wolfSSL?

Thanks,
Kareem

21

(10 replies, posted in wolfSSL (formerly CyaSSL))

Hello,

Which version of wolfSSL are you using?  If you aren't using our latest release (5.4.0), try upgrading and let me know if it helps.
How are you building wolfSSL?  Can you share your build settings (user_settings.h or ./configure line)?
Your includes look correct, make sure you have <wolfssl/options.h> included before all other wolfssl headers in all files using these headers.

Thanks,
Kareem

22

(2 replies, posted in wolfCrypt)

Hello vico,

The RA4M2 uses SCE hardware acceleration, which we do support.  To activate this support, define WOLFSSL_RENESAS_SCEPROTECT in your user_settings.h.
For a template, check out our RA6M4 e2studio project, which also uses SCE: https://github.com/wolfSSL/wolfssl/tree … udio/RA6M4

May I ask if this is for a commercial or personal project?

Thanks,
Kareem

23

(9 replies, posted in wolfSSL (formerly CyaSSL))

You can disable wolfSSL's certificate validity check using wolfSSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, 0);
This significantly hurts security, and we strongly recommend against it.  Instead, you should register your CA certificates by calling wolfSSL_CTX_load_verify_locations(ctx, NULL, "/path/to/CAcerts/"); before connecting.

Thanks,
Kareem

Hi msjeon,

Try running /bin/bash ./configure ...  If that fails, your bash is likely too old (our minimum requirement is 3.x), so you will need to upgrade.  Alternatively, you can use our Makefile + user_settings.h instead of ./configure.  See our template in IDE/GCC-ARM (you can remove all of the ARM specific parts).

On Solaris, you will want to build wolfSSL as a static library using --enable-static --disable-shared, and ensure you are using gmake to build.  You may also need to disable our builtin make clean at the end of ./configure using --disable-makeclean.

Thanks,
Kareem

I am happy to help, Farhan.

Check out our docs on wolfSSL + Renesas here: https://www.wolfssl.com/docs/renesas/
The link I provided has some example projects for e2studio. We also have some for CS+: https://github.com/wolfSSL/wolfssl/tree … B/Projects

Please continue to use our ticket system via support [at] wolfssl [dot] com for further support.

Thanks,
Kareem