Topic: Minimum ECC build

Hello,

I'm trying to make a minimum footprint for ECC build.
The cipher I want to test is : TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256

Thus, regarding the ECC, I've defined:
    #define HAVE_ECC
    #define ECC_USER_CURVES /* Will use default ECC256 size */
    #define NO_ECC_SIGN
    #define NO_ECC_VERIFY
    #define NO_ECC_KEY_IMPORT
    #define NO_ECC_KEY_EXPORT

When trying to compile I get a lot of errors in internal.c and asn.c files:
    undefined reference to `wc_ecc_verify_hash'
    undefined reference to `wc_ecc_sign_hash'
    undefined reference to `wc_ecc_import_x963_ex'
    undefined reference to `wc_ecc_export_x963'
    undefined reference to `wc_ecc_import_private_key_ex'

For this project I have two more defines that may be related to the topic:
    #define NO_CERTS
    #define NO_WOLFSSL_SERVER

Are there more options I need to disable/enable to make it work?

Best regards.

Share

Re: Minimum ECC build

Hello,

Some insight on the matter, please.
As I understand, the defines:
    #define NO_ECC_SIGN
    #define NO_ECC_VERIFY
    #define NO_ECC_KEY_IMPORT
    #define NO_ECC_KEY_EXPORT
have to exclude these undefined functions call from the code, but it doesn't happen.

Thanks in advance.
Best regards.

Share

Re: Minimum ECC build

Hi andrey.ribalko,

Currently that configuration is not supported with TLS. The only configuration we currently allow that exposes generating the shared secret but does not include sign/verify/key import/key export would also have to include the setting "WOLFCRYPT_ONLY" which disables SSL/TLS functionality.

Could you tell us a little about the project you are working on and your memory constraints? What do you have available and what is your ideal build size, what is the current build size with all of that additional functionality enabled?

So you are aware wolfSSL does offer traditional engineering consulting services if you would like to explore the option of adding a "PSK with perfect forward secrecy and no ECC Public Key Support" build option. That is something we can definitely do!


Warm Regards,

Kaleb Himes

Re: Minimum ECC build

Hello,
Thank you for the reply.

We are manufacturing controller devices for home automation, that are running on STM32F217 with 512KB ROM and 128KB RAM. The devices have lots of functionality and we're very close to the end of memory (ROM and RAM). Every device has an option to connect to our server, the connection have to be secured.

We don't have some crucial build size and stack usage requirements from SSL module and we understand that there is some tradeoff between security level and memory footprint. Our approach is to choose several ciphers and make the lowest footprint possible for each. Only then we will be able to decide what cipher, and as a result what build, suites the best our need.

Currently I'm tasked to test TLS_ECDHE_PSK_... cipher as it allows to disable the certificate part of the code and reduce the footprint by a good amount. By investigating the code I found the options to disable ECC sign/verify/key_import/key_export, but,
as I've described in the first post, I get errors during compilation.

So, if I understood correctly, at this moment if defining HAVE_ECC the sign/verify/key_import/key_export options cannot be excluded from the build and these four defines are not allowed to be used?

Thanks in advance.
Best regards.

Share

Re: Minimum ECC build

Hi andrey,

So, if I understood correctly, at this moment if defining HAVE_ECC the sign/verify/key_import/key_export options cannot be excluded from the build and these four defines are not allowed to be used?

At this time that is correct, it is currently not a supported configuration. HOWEVER we do understand the build you are after and it makes sense.

It should be possible and would likely only take us anywhere from a few hours to a day of engineering work to make the changes then document and test the changes.


Warm Regards,

Kaleb

Re: Minimum ECC build

Hi andrey,

Can you tell me who you are with and where in the world you are so I can put the correct resource in touch with you to assist with this evaluation?

If you do not wish to share on the public forum feel free to contact me directly kaleb@wolfssl.com


Warm Regards,

Kaleb

Re: Minimum ECC build

Hello,

I'm a programmer from a small company "Xdimax LTD" in Israel.
Thanks for your great support.

Best regards.

Share