76 Reply by anthony

(10 replies, posted in wolfSSL)

During the parsing of the certificate, the public key is not being stored: 

#if (!defined(WOLFSSL_NO_MALLOC) && !defined(NO_WOLFSSL_CM_VERIFY)) || \
    defined(WOLFSSL_DYN_CERT)
    /* cert->publicKey not stored as copy if WOLFSSL_NO_MALLOC defined */
    if ((cert->keyOID == RSAk
    #ifdef WC_RSA_PSS
         || cert->keyOID == RSAPSSk
    #endif
         ) && cert->publicKey != NULL && cert->pubKeySize > 0) {
        ptr = (char*)XMALLOC(cert->pubKeySize, cert->heap,
                              DYNAMIC_TYPE_PUBLIC_KEY);
        if (ptr == NULL)
            return MEMORY_E;
        XMEMCPY(ptr, cert->publicKey, cert->pubKeySize);
        cert->publicKey = (byte *)ptr;
        cert->pubKeyStored = 1;
    }

#endif

So 

cert->pubKeyStored

is not getting set to 1.  I was able to get past this by adding 

-DWOLFSSL_DYN_CERT

to 

CFLAGS

. That said, I later got an out of memory error: 

wolfSSL Entering SendCertificateVerify
sent: certificate verify
connect state: FIRST_REPLY_THIRD
growing output buffer
wolfSSL Entering DtlsMsgPoolSave
wolfSSL Entering DtlsMsgNew
wolfSSL Leaving DtlsMsgPoolSave(), return 0
ERROR ran out of static memory
wolfSSL error occurred, error = -125
wolfSSL Entering wolfSSL_get_error
wolfSSL Leaving wolfSSL_get_error, return -125
err = -125, out of memory error

I'll need to ask my colleagues how to increase the memory pool size.

Please stay tuned.

Warm regards, Anthony

Go to forum: wolfSSL

77 Reply by anthony

(10 replies, posted in wolfSSL)

Hello, Will (whjochim),

My name is Anthony and I am a member of the wolfSSL team. I have been able to reproduce what you are seeing.  Thank you so much for all the details you provided!! 

I had to build a separate instance of wolfSSL for the server side like this: 

./configure --enable-dtls --enable-dtls13
make all 
./examples/server/server -u -v 3 -c certs/server-cert.pem -k certs/server-key.pem

That's when I saw 

err = -173, Bad function argument

Let me run this with a debugger and get some better information. Unfortunately, I can't use your stack trace as the line numbers don't match what I have. I'm not sure what version of wolfSSL you are using.  Please stay tuned.

In the meantime, can you please let me know some information about yourself and your project?  We love know about the people that use our code and what they are doing with it.  Some example questions for you:

- where are you geographically located?
- what are your goals?
- is your project personal, academic or professional?
- is there an institution associated with this work?

If you do not want to disclose this information on a public forum, feel free to send it to me at anthony@wolfssl.com

Warm regards, Anthony

Go to forum: wolfSSL

78 Reply by anthony

(5 replies, posted in wolfSSL)

Hello likewise,
Can you please send a message to support@wolfssl.com noting your interest in this feature? 
Thanks and warm regards, Anthony

Go to forum: wolfSSL

79 Reply by anthony

(6 replies, posted in wolfSSL)

Hi jacob.andersen,

Yes, the correct way would be 2 separate context objects. Please try that and let us know how it goes.

Warm regards, Anthony

Go to forum: wolfSSL

80 Reply by anthony

(8 replies, posted in wolfSSL)

Hi Tony,
Excellent.  Instead of putting up a pull request, can you put up a bug report.  We have a preference for bug reports as accepting pull requests would require you submit a contributor agreement.
Warm regards, Anthony

Go to forum: wolfSSL

81 Reply by anthony

(8 replies, posted in wolfSSL)

Correction: TLS 1.2 connection.  Not TLS 1.3 connection.

Go to forum: wolfSSL

82 Reply by anthony

(8 replies, posted in wolfSSL)

Hi Tony,

I've modified your user_settings.h.  See the end of this message.  Then on my linux machine built with the following command: 

./configure --enable-usersettings

I then downloaded your root certificate and executed the example client like this: 

./examples/client/client -A root.pem  -h a2jtk2rms8uea8-ats.iot.us-east-1.amazonaws.com -p 8883

And I got a successful TLS 1.3 connection. 

This tells me there might be some incompatibility with the way freeRTOS is being used or the way wolfMQTT is calling into wolfSSL. The most likely problem is a memory issue.  How much memory are you giving to this process?   Perhaps try increasing it?

Warm regards, Anthony

=============================================
#ifndef USER_SETTINGS_H
#define USER_SETTINGS_H

#define WOLFSSL_IGNORE_FILE_WARN

/*-- Cipher related definitions  -----------------------------------------------
*
*
*----------------------------------------------------------------------------*/
#define WOLFSSL_ALT_CERT_CHAINS



#define WOLFSSL_TLS13
#define HAVE_TLS_EXTENSIONS

#define HAVE_SUPPORTED_CURVES
#define HAVE_FFDHE_2048

#ifndef WOLFSSL_OPTIONS_IGNORE_SYS
    #undef  _POSIX_THREADS
    #define _POSIX_THREADS
#endif

#define HAVE_THREAD_LS
#define TFM_TIMING_RESISTANT
#define ECC_TIMING_RESISTANT
#define WC_RSA_BLINDING

#define HAVE_AESGCM
#define HAVE_AESCCM
#define HAVE_AES_ECB
#define WOLFSSL_AES_COUNTER
#define WOLFSSL_AES_DIRECT

#define WOLFSSL_SHA512
#define WOLFSSL_SHA384
#define HAVE_HKDF

#define HAVE_ECC
#define TFM_ECC256
#define ECC_SHAMIR
#define WC_RSA_PSS
#define WOLFSSL_BASE64_ENCODE

#define WOLFSSL_KEY_GEN


#define HAVE_ECC_CDH
#define WC_RSA_NO_PADDING
#define WOLFSSL_VALIDATE_FFC_IMPORT
#define WOLFSSL_VALIDATE_ECC_IMPORT
#define HAVE_FFDHE_Q
#define WOLFSSL_NO_SHAKE256

#define WOLFSSL_CMAC
#define WOLFSSL_SHA224
#define WOLFSSL_SHA3
#define WOLFSSL_SHAKE256
#define HAVE_HASHDRBG

#define HAVE_SUPPORTED_CURVES
#define HAVE_EXTENDED_MASTER
#define HAVE_ENCRYPT_THEN_MAC
#define USE_FAST_MATH
#define WOLFSSL_X86_64_BUILD
#define WC_NO_ASYNC_THREADING
#define HAVE_DH_DEFAULT_PARAMS
#define HAVE___UINT128_T    1

#define NO_DSA
#define NO_HC128
#define NO_RABBIT
#define NO_RC4
#define NO_PSK
#define NO_MD4
#define NO_PWDBASED

/*-- Debugging options  ------------------------------------------------------
*
* "DEBUG_WOLFSSL" definition enables log to output into stdout.
* Note: wolfSSL_Debugging_ON() must be called just after wolfSSL_Init().
*----------------------------------------------------------------------------*/

#define DEBUG_WOLFSSL



#endif /* USER_SETTINGS_H */
========================================

Go to forum: wolfSSL

83 Reply by anthony

(6 replies, posted in wolfSSL)

Hi jacob.andersen,

My name is Anthony and I am a member of the wolfSSL team.

I don't think I understand enough about your use case.  Is there any reason both the server and client would need to share the same context and ssl structs? 

I'd also need to know more about your system and platform.  For example, if this were linux then you have processes and it would be easy to set this up as separate applications. I think it would even be simple if your system only had threads.  I realize I am asking for information that you might not want to reveal on a public forum.  If you would like to talk about this in a more confidential medium, please send an email message to support@wolfssl.com referencing this post.

Warm regards, Anthony

Go to forum: wolfSSL

84 Reply by anthony

(8 replies, posted in wolfSSL)

Hi tonyjosi,

Note that reproducing and diagnosing this could take a bit of time. In the meantime, we quite often find that defining `WOLFSSL_ALT_CERT_CHAINS` often fixes this problem.  Can you please trying adding it your defines in your `user_settings.h` and then rebuilding everything?

Please let me know how it goes.

Warm regards, Anthony

Go to forum: wolfSSL

85 Reply by anthony

(8 replies, posted in wolfSSL)

Hi tonyjosi,
My name is Anthony and I am a member of the wolfSSL team.  Let me see if I can look into this for you. I will start by trying to reproduce this.
Warm regards, Anthony

Go to forum: wolfSSL

86 Reply by anthony

(2 replies, posted in wolfSSL)

Hi Sayeed,

My name is Anthony and I am a member of the wolfSSL team.  I'm not sure I understand your issue.  Can you give more details such as the compiler error message?

Warm regards, Anthony

Go to forum: wolfSSL

87 Reply by anthony

(3 replies, posted in wolfSSL)

Hi, Thanks for reaching otu Michael.  This appears to be a memory issue.  Can you please try repeating these procedures with Valgrind and then showing us the output?
Warm regards, Anthony

Go to forum: wolfSSL

88 Reply by anthony

(3 replies, posted in wolfSSL)

Hi,
Have you tried using wolfSSH? It can be found at  https://github.com/wolfSSL/wolfssh or from our download page.
Warm regards, Anthony

Go to forum: wolfSSL

89 Reply by anthony

(5 replies, posted in wolfSSL)

Thanks philipm,
We can continue the conversation there.  The short answer is it is not supported yet.  Please stay tuned to email for a response from support@wolfssl.com.
Warm regards, Anthony

Go to forum: wolfSSL

90 Reply by anthony

(5 replies, posted in wolfSSL)

Hi philipm,

Thank you so much for reaching out.  My name is Anthony and I am a member of the wolfSSL team.  Can you please send this request to support@wolfssl.com? This will allow us to better track your issue.

Warm regards, Anthony

Go to forum: wolfSSL

91 Reply by anthony

(4 replies, posted in wolfSSL)

Hi,

As we say in https://github.com/wolfSSL/wolfssl/blob/master/INSTALL:

Use the Visual Studio Solution wolfssl64.sln

Can you tell us a bit about your project?  What are you trying to achieve?

Warm regards, Anthony

Go to forum: wolfSSL

92 Reply by anthony

(4 replies, posted in wolfSSL)

I'm so glad I was able to provide helpful information.  Please feel free to use our technical support service at support@wolfssl.com should you prefer more private interactions. 

Warm regards, Anthony

Go to forum: wolfSSL

93 Reply by anthony

(4 replies, posted in wolfSSL)

Hi Paul,
Please have a look at https://github.com/wolfSSL/wolfssl/tree … DE/ARDUINO .

Can you please let us know a bit about your project?  Is it out of professional, personal or academic interest?  Is there any organization associated with your efforts?

Warm regards, Anthony

Go to forum: wolfSSL

94 Reply by anthony

(3 replies, posted in wolfCrypt)

Hi Dien,

I understand. Would you like to register your interest in CBC and CCM mode stream APIs as an official feature request?  It will only take a few minutes of your time.  If so, please send an email to support@wolfssl.com referencing this forum thread.

Warm regards, Anthony

Go to forum: wolfCrypt

95 Reply by anthony

(3 replies, posted in wolfCrypt)

Hello dientc.511,
We also have streaming for Gmac and AES-EAX. You can search for the following API

wc_AesEaxInit()
wc_AesEaxEncryptUpdate()
wc_AesEaxEncryptFinal()

What other modes were you looking for?

Warm regards, Anthony

Go to forum: wolfCrypt

96 Reply by anthony

(3 replies, posted in wolfSSL)

Hi Ja1999,
Yes I suspect that would work.
Warm regards, Anthony

Go to forum: wolfSSL

97 Reply by anthony

(3 replies, posted in wolfSSL)

Hi  ja1999,

Thanks for your interest in wolfSSL.  4.8.1 is a very old version.  I suspect you are bumping into expired certificates in our testing directory.

Have you tried a more recent version of wolfSSL-fips-ready?   5.6.4 is the most recent version and it is available at https://wolfssl.com/download . I tested it recently and it works as expected.

Warm regards, Anthony

Go to forum: wolfSSL

98 Reply by anthony

(3 replies, posted in wolfSSL)

Mattia,

The easiest way to confirm my theory is to define WOLFSSL_DEBUG_TLS to see what the server gets.

Warm regards, Anthony

Go to forum: wolfSSL

99 Reply by anthony

(3 replies, posted in wolfSSL)

Hello Again Mattia,

I have successfully imported your ClientHello into wireshark.  It looks to be a compliant TLS 1.3 client hello handshake message.  I see no problems with it.  But then the server sends a DECODE_ERROR alert message. Can you please confirm that the server received the same client hello that you pasted above? I suspect that there is some sort of I/O mishap here.

Warm regards, Anthony

Go to forum: wolfSSL

100 Reply by anthony

(3 replies, posted in wolfSSL)

Hello Mattia,

Thank you for reaching out to us here at wolfSSL.  I will need some time to analyze the handshake data that you have shown.  It might be more efficient if you could turn on debugging (define WOLFSSL_DEBUG and call wolfSSL_Debugging_ON() ) on both sides and paste the logs in a message here.

Warm regards, Anthony

Go to forum: wolfSSL