This error occurs when you don't add the submodules and the options.h file. Simply follow the instructions from the README and rebuild project.

$ cd android/wolfssljni-ndk-gradle
$ git submodule init
$ git submodule update
$ cp ./wolfssl/wolfssl/options.h.in ./wolfssl/wolfssl/options.h

The relevant section of Figure 1.12 is "1.2. Create Basic UDP Client:". But the code in Figure 1.12 is probably DTLS, not a basic UDP client.

I am trying to load different certificates and run server-tls13 and client-tls13 files. I changed the path of the certificates to a new one in server-tls13.c and client-tls13.c

The certificates which I am trying to load are falcon512 certificate chain of length 3. I configured wolfssl by using --enable-all --with-liboqs.

My wolfssl version is 5.5.4. Also, certificates are not expired. I also tried loading combined certificates.

3rd parameter to wc_AesSetKey is hardcoded to AES_BLOCK_SIZE (16 bytes), but should it be the key size input by the user?

Latest SGX SDK no longer builds with -lsgx_tstdcxx here. It should be replaced with libsgx_tcxx

I am trying to run the Windows SGX benchmark in Visual Studio 2015. The WolfSSL library gets built successfully. However, trying to build the enclave project results in the following errors:

Error	LNK2019	unresolved external symbol wc_DsaVerify referenced in function ConfirmSignature	Enclave	C:\Users\User\Downloads\wolfssl-examples-master\wolfssl-examples-master\SGX_Windows\Enclave\asn.obj

Error	LNK2019	unresolved external symbol wc_FreeDsaKey referenced in function FreeSignatureCtx	Enclave	C:\Users\User\Downloads\wolfssl-examples-master\wolfssl-examples-master\SGX_Windows\Enclave\asn.obj	

Error	LNK2019	unresolved external symbol wc_InitDsaKey_h referenced in function ConfirmSignature	Enclave	C:\Users\User\Downloads\wolfssl-examples-master\wolfssl-examples-master\SGX_Windows\Enclave\asn.obj	

Error	LNK1120	3 unresolved externals	Enclave	C:\Users\User\Downloads\wolfssl-examples-master\wolfssl-examples-master\SGX_Windows\x64\Debug\Enclave.dll	1	

I am running this in Debug x64 mode with the Intel SGX debugger. This is the same configuration I used for building the wolfssl.lib. I would really appreciate it if someone could point to the right direction; Google has been of no use so far.

Hi,

I'm working with dtls examples, both single-threaded and multi-threaded and I noticed a different result with queued client connections.

It works perfectly when using server_dtls.c to process multiple client connections from client-dtls-threaded.c. Of course, on the server side client requests are processed sequentally one by one, but it is able to process all the requests . On the contrary, when I use server-dtls-threaded.c with only 2 threads and client-dtls-threaded.c with 4 threads, the server processes the first two client connections simultaneously, but it only process the third one afterwards, and returns -395 (Duplicate message error) error for the fourth one when calling wolfSSL_connect.

I expected multi-threaded server code to process al the queued connections but it only processes the first one when a thread gets free after processing the first connection batch. Is this behaviour correct or there might be a problem with that?

Thank you very much in advance,
Adrian

Hello.
I am using wolfssl 5.6.3
i built the wolfssl library like this:

./configure --enable-aesgcm-stream
sudo make install

and when i run the aesgcm-file-encrypt it shows abort

Note: i am able to run aes-file-encrypt ,,, for that i built the library using ./configure --enable-pwdbased && make && sudo make install

Hi Chris Conlon,
I used your library in android and in this API
WOLFSSL_API int wolfSSL_CTX_load_verify_locations(WOLFSSL_CTX*, const char*, const char*);
your calling ProcessFile() method and trying to open file with file name but its failing, due to Android is not allowing to open file but if you can take file descriptor then FOPEN will work or use asset manager in NDK then it will be easily.

example:-
instead of fname, if you had file descriptor it will work in android or you use -DWOLFSSL_JNI flag and ask for AssetManager to process the file from assets directory it will also work.

file = XFOPEN(fname, "rb");
if (file == XBADFILE) return WOLFSSL_BAD_FILE;
if (XFSEEK(file, 0, XSEEK_END) != 0) {
XFCLOSE(file);
return WOLFSSL_BAD_FILE;
}
sz = XFTELL(file);
XREWIND(file);

I tested the project sgx-ra-tls/deps/wolfssl-examples/SGX_Linux, I want use the function which name enc_wolfSSL_CTX_load_verify_buffer, its return value is -150,i checkd the info is: ASN date error, current date before.The same method I test wolfSSL_CTX_load_verify_buffer outer enclave , it reurn ssl_success,why?

The make fails if the write-dup feature is not enabled. Can we change this so it builds with a main() stub and printf an error at run-time instead of failing build-time with #error. This will allow other TLS examples to build and run.

gcc -o client-tls-writedup client-tls-writedup.c -Wall -I/usr/local/include -Os -pthread -L/usr/local/lib -lm -lwolfssl
client-tls-writedup.c:43:6: error: #error "wolfSSL must be configured and installed with --enable-writedup"
     #error "wolfSSL must be configured and installed with --enable-writedup"
      ^~~~~
make: *** [client-tls-writedup] Error 1

Hello. I'm trying your CSR generating example on an Arduino but the compile fails with:

:\Arduino\arduino-1.8.12\libraries\wolfSSL\asn.c: In function 'SetTime':

C:\Arduino\arduino-1.8.12\libraries\wolfSSL\asn.c:10402:29: error: dereferencing pointer to incomplete type 'struct tm'

     output[i++] = itob((date->tm_year % 10000) / 1000);

                             ^

C:\Arduino\arduino-1.8.12\libraries\wolfSSL\asn.c: In function 'SetValidity':

C:\Arduino\arduino-1.8.12\libraries\wolfSSL\asn.c:10461:15: error: storage size of 'localTime' isn't known

     struct tm localTime;

               ^

Is there some time setting somewhere I'm missing?

Thanks!

My user_settings.h file has this:

/* Generated wolfSSL user_settings.h file for Arduino */
#ifndef ARDUINO_USER_SETTINGS_H
#define ARDUINO_USER_SETTINGS_H

/* Platform */
#define WOLFSSL_ARDUINO

/* Math library (remove this to use normal math)*/
#define USE_FAST_MATH
#define TFM_NO_ASM

/* RNG DEFAULT !!FOR TESTING ONLY!! */
/* comment out the error below to get started w/ bad entropy source
 * This will need fixed before distribution but is OK to test with */
//#error "needs solved, see: https://www.wolfssl.com/docs/porting-guide/"
#define WOLFSSL_GENSEED_FORTEST

#define WOLFSSL_DER_TO_PEM

#define WOLFSSL_CERT_GEN
#define WOLFSSL_CERT_REQ
#define XGMTIME
#define XTIME fnSecondsSinceEpoch
extern unsigned long my_time(unsigned long* timer);
#define NO_ASN_TIME

#endif /* ARDUINO_USER_SETTINGS_H */

Absolutely amazing docs!

Spotted sever instead of server FYI.

Thanks.

Hi, I require some assistance in connecting to wolfssl. I was using the client and server sample codes for a project of mine and instead of the default cert verification, I edited the code to validate other website certificates (E.g. Ebay). How all went well until the error message prompted me "ERROR: Failed to connect to wolfSSL". I'm not sure what is causing the issue. Anyone encounter this before.

Ps the default code works fine.

Sorry, but can't find any hint in the docs nor in the example to do that. Any hints appreciated.

Hello,

I don't know what's wrong.

Using your example 8f1ac1a, wc_PKCS12_parse returns -154 /* ASN input error, not enough data */

If the password is incorrect, it rightfully returns -213, /* MAC comparison failed */.
So I suppose pkcs12 is filled correctly.

Attached are 2 pfx files (please rename .txt to .zip).

1. The original one (client_certificate2.pfx),
2. The same one, but retrieved from Windows Store (myCert.pfx).
   pw: Tango256

Both are processed correctly by openssl.

Does wolfssl (3.10.2) supports that kind of files?

Thank you.

pfx.txt

clu_crypto_setup.c contains the incorrect length value 3 vice 4 for -pwd arg. (Tests in tests/testEncDec hang waiting on suspected missing password input.)

ret = wolfCLU_checkForArg("-pwd", 3, argc, argv);

I am new to SSL/TLS concepts, and while examining the examples in the TLS directory, I noticed that the certificate path (CERT_FILE) is self-signed and cannot be used to verify other sites. From what I understand, browsers typically use the system's certificate store to verify visited sites. on my Linux system, it's located in /etc/ssl/certs

My question are:

• is it possible to use a list of certificates for verification, similar to how browsers do?
• if that's not feasible, is there a way to "disable peer check" as a potential workaround solution?

Ubuntu18.04
SGX SDK: https://github.com/intel/linux-sgx

make SGX_MODE=SIM SGX_PRERELEASE=0 SGX_WOLFSSL_LIB=/home/pengfei/ssl/wolfssl/IDE/LINUX-SGX/ WOLFSSL_ROOT=../../wolfssl SGX_DEBUG=0 HAVE_WOLFSSL_TEST=1

make -ef sgx_u.mk all
make[1]: Entering directory '/home/pengfei/ssl/wolfssl-examples/SGX_Linux'
make[1]: Nothing to be done for 'all'.
make[1]: Leaving directory '/home/pengfei/ssl/wolfssl-examples/SGX_Linux'
make -ef sgx_t.mk all
make[1]: Entering directory '/home/pengfei/ssl/wolfssl-examples/SGX_Linux'
-m64 -O2 -Wl,--no-undefined -nostdlib -nodefaultlibs -nostartfiles -L/opt/intel/sgxsdk/lib64 -L/home/pengfei/ssl/wolfssl/IDE/LINUX-SGX/ -lwolfssl.sgx.static.lib -Wl,--whole-archive -lsgx_trts_sim -Wl,--no-whole-archive -Wl,--start-group -lsgx_tstdc -lsgx_tstdcxx -lsgx_tcrypto -lsgx_tservice_sim -Wl,--end-group -Wl,-Bstatic -Wl,-Bsymbolic -Wl,--no-undefined -Wl,-pie,-eenclave_entry -Wl,--export-dynamic -Wl,--defsym,__ImageBase=0 -Wl,--version-script=trusted/Wolfssl_Enclave.lds@
/usr/local/bin/ld: cannot find -lsgx_tstdcxx
collect2: error: ld returned 1 exit status
sgx_t.mk:128: recipe for target 'Wolfssl_Enclave.so' failed
make[1]: *** [Wolfssl_Enclave.so] Error 1
make[1]: Leaving directory '/home/pengfei/ssl/wolfssl-examples/SGX_Linux'
Makefile:13: recipe for target 'all' failed
make: *** [all] Error 2

Any advice would be appreciated.

Hello, I'm trying to query data from server using the client example in SGX_Linux. But occurs a problem: Failed to connect to server.

I modified the client-tls.c file in three places:

1. #define SERV_PORT 80
2. char sendBuffer[] = "GET /api?module=account&action=balance&address=0xddbd2b932c763ba5b1b7ae3b362eac3e8d40121a&tag=latest&apikey=YourApiKeyToken";
3. if (net_pton(AF_INET, "23.111.175.138", &servAddr.sin_addr))

And the error code is -326
VERSION_ERROR = -326, /* record layer version error */

Is there some setting somewhere I'm missing?

In my client, after (or during) handshake, I would like to loop over the certs provided by the server side. Basically to do custom OCSP requests, provide HPKP functionality and to print detailed information about each cert in the chain.

I didn't find code in the examples/client/client.c.

Could you point me to some example or detailed docs, please ?

How to use the client example in SGX_Linux to query data from server, for example: api.etherscan.io/api?module=account&action=balance&address=0xddbd2b932c763ba5b1b7ae3b362eac3e8d40121a&tag=latest&apikey=YourApiKeyToken

failed to build tls-sock-client accordding to the readme

The online docs should be at the mentioned place (e.g. #144 suggests it). Functions seem to be missing (search doesn't know them either). Examples are wolfSSL_CTX_UseSNI() and wolfSSL_UseSNI().

Also it's hard to find TLS1.3 references there, I had to pull a lot stuff out of the header files directly. E.g. places where WOLFSSL_TLSV1_2 is mentioned, WOLFSSL_TLSV1_3 was missing.

Hi,

I can't compile wolfssl (master from github) with gcc 6.1.1 under linux:

  CC       wolfcrypt/test/test.o
wolfcrypt/src/poly1305.c: In function ‘wc_Poly1305Update’:
wolfcrypt/src/poly1305.c:531:5: error: this ‘if’ clause does not guard... [-Werror=misleading-indentation]
     if (ctx == NULL)
     ^~
wolfcrypt/src/poly1305.c:535:2: note: ...this statement, but the latter is misleadingly indented as if it is guarded by the ‘if’
  if (ctx->leftover) {
  ^~
  CC       examples/client/client.o
  CC       examples/echoclient/echoclient.o
cc1: all warnings being treated as errors
make[1]: *** [Makefile:2607: wolfcrypt/src/src_libwolfssl_la-poly1305.lo] Error 1
make[1]: *** Waiting for unfinished jobs....
make[1]: Leaving directory '/root/src/wolfssl'
make: *** [Makefile:1698: all] Error 2

I downloaded and expanded wolfssl and wolfssl-examples.And I did the following to run the dls example.
in wolfssl directory

./configure --enable-dtls
make
sudo make install

in wolfssl-examples directory

cd ./dtls
make

I get the following error in the dtls directory

./server-dtls
./server-dtls: error while loading shared libraries: libwolfssl.so.23: cannot open shared object file: No such file or directory

By the way, it is confirmed that the file exists in the following directory.

cd ./usr/local/lib
ls
libwolfssl.la  libwolfssl.so  libwolfssl.so.23  libwolfssl.so.23.0.0

I don't know why I get this error.It would be greatly appreciated if you could explain the details.

My server does not require send the client certificates, but I should accept the peer certificates from the server, the server gives me two self signed certs, one CA, and a KEY. My question is how I can accept/validate this certs?

Thx in advante

Dear wolfSSL developers,

I tested my software verifier on several examples of your repository. My tool could detect a thread leak in (memory-tls.c).

Note that thread leak means a thread that is not joined (i.e., a thread is created but not released), which may cause applications to respond slow or hang.

It seems like the thread_create in

This example

is not released or joind

Please confirm if it a real bug.

Best,
Fatimah

I am trying to work on aes, i am able to run aes-file-encrypt but when i am trying to run aesgcm-file-encrypt(wolfssl-examples/crypto/aes/aesgcm-file-encrypt.c) it is showing as aborted.

i followed all the steps mentioned in the readme file but still it is showing aborted .

I'm getting below error after make command:
gcc -o sphincs_sign_verify sphincs_sign_verify.c -Wall -I/usr/local/include -Os -L/usr/local/lib -lm -lwolfssl
/usr/bin/ld: /tmp/ccOWtIxv.o: in function main': sphincs_sign_verify.c:(.text.startup+0x208): undefined reference to InitDecodedCert'
/usr/bin/ld: sphincs_sign_verify.c:(.text.startup+0x216): undefined reference to `ParseCert'
collect2: error: ld returned 1 exit status
make: *** [Makefile:33: sphincs_sign_verify] Error 1

This is the same as wolfSSL/wolfssl#6057 but as applied to this repo.

Version

current master branch

Description

Currently the project files for the VisualGDB Extension for Visual Studio are located in the same directory as the main wolfSSL project. For example: TLS13-ENC28J60-client. The problem with this is both the command-line idf.py build and VisualGDB both use the local ./build directory.

Although VisualGDB will gracefully clean the directory, the commandline idf.py fullclean is a bit more prudent, and will not clean the build the directory if (apparently extra) VisualGDB build files are found. The idf build instead gives an error such as this:

Executing action: fullclean
Directory '/mnt/c/workspace-PR/wolfssl/IDE/Espressif/ESP-IDF/examples/wolfssl_test/build' doesn't seem to be a CMake build directory. Refusing to automatically delete files in this directory. Delete the directory manually to 'clean' it.
/mnt/c/workspace-PR/wolfssl/IDE/Espressif/ESP-IDF
Failed in test

I plan to move the project files to a new VisualGDB subdirectory in the currently open "no setup" PR #6018 to better support my upcoming changes to the compileAllExamples.sh.

The VisualGDB build files will then be in sampleProject/VisualGDB/build and the regular idf.py build files will be in sampleProject/build.

This will also help declutter the project directory as more VisualGDB project files are added that target different chipsets and different versions of the ESP-IDF.

See wolfSSL/wolfssl#6234 for a roadmap of Espressif updates.

Working with the ChaCha example found at https://www.wolfssl.com/docs/wolfssl-manual/ch10/.

Example given is:

CHACHA enc;
const byte key[] = { /some key 32 bytes/};
byte plain[37]; /no size restriction, fill with data/
wc_Chacha_SetKey(&enc, key, keySz);

Depite passing in a 32 byte key I am getting a -173 error code.

Built wolfssl solution as of a few minutes and tried to recreate the Camellia example. Cannot find the wolfssl/options.h header file and therefore cannot run on my Win machine. What am I missing here?

There are few sphincs certificates of different levels in the wolfss-examples/certs directory. It would be great if you could share some commands to generate sphincs certificates.

client-tls-resume.c does show session resumption for a single-threaded application.

In my case I have a multi-threaded application that needs to store session data to disk and restore it from there. I was searching for functions like wolfSSL_get_session_data(ssl, void *data, int &size) and wolfSSL_set_session_data(ssl, data, size). Maybe I just didn't find it !?

I wonder what is the recommended workflow for the described scenario ?

Hi,

I am trying to verify a certificate chain with one intermediate certificate. I am using certverify.c program from certmanager directory. I changed the certificate paths to a new one and executed the program after running a make command.

Following are the screenshots:

Error = -148 is getting displayed when input certificates are a root certificate and a combined certificate (combination of intermediate and end certificate)

Error = -188 is getting displayed when input certificates are an intermediate certificate and an end certificate.

Following screenshot shows the output after executing ./certloadverifybuffer

The output is same irrespective of the certificate combinations.

I was testing wolfssl-examples/signature and was not able to verify the generated signature using openssl and vice versa.
I came across the following post in the wolfssl forum
https://www.wolfssl.com/forums/topic883-solvedwhy-wolfssl-cant-support-those-rsa-signature-which-padoid.html

Did the exact steps mentioned in the post but could not get success.

wolfssl$ git status
HEAD detached at v3.15.7-stable
nothing to commit, working directory clean
./configure && make && make install

Generated signature using by running example code
/signature README.md 3 5
Signature Example: Sig=3, Hash=5
File README.md is 1763 bytes
RSA Key Size 2048
RSA Signature Len: 256
RSA Signature Generation: Pass (0)
RSA Signature Data:
1A 06 BD 12 CE 8C 70 5D 63 0A CC 5B CF DA 97 B0
75 B1 BC A6 89 59 1A C4 32 3F A9 AF D7 73 1F E6
49 5D 75 2B F3 6B AC FA CB B0 10 BA F9 17 93 B2
89 D7 C8 BA 26 0C D1 6E 61 8A 82 75 49 4F 9D 2C
97 C1 1B 07 5B 21 31 FA 79 0C 22 99 35 18 E6 D2
2E 85 B1 80 3A 16 6A 26 41 DD 24 88 56 B6 80 F3
92 25 40 DF 69 38 A0 25 51 34 11 DD 43 5D 51 F5
AA DB 0E 66 16 08 42 6D 99 BB 60 1B F2 E7 E2 41
FC 02 26 F2 8B 7A 53 3F 71 79 63 93 2B 18 74 5E
C6 13 92 15 76 E5 17 20 8A DE 66 A9 C6 13 43 16
AF CF 50 E9 9E 2F 2D 45 EE E6 74 BA 3D 7F B9 E8
6D 2D 10 8A F1 20 67 4F 62 31 2F E0 20 D8 FD 22
8B 24 C8 1C 0C 3E AF 28 E1 C1 48 71 14 F5 88 60
E4 43 50 B8 A6 B5 22 32 17 71 32 76 D0 5F 4A 4E
75 2D AC 70 48 58 D5 C2 53 03 8B 39 B9 79 B5 DF
4E D1 53 D0 FC 08 0D 1C C5 14 EE F0 55 4C A0 56
RSA Signature Verification: Pass (0)

Signature generated using the same keys are different and verification failed.
$openssl version
OpenSSL 1.0.1f 6 Jan 2014
$openssl dgst -sha256 -sign ../certs/client-key.der -keyform DER -hex README.md
RSA-SHA256(README.md)= 258a167760e6123adb91cff647bdda66906446aaa866f908fdcfea48bb33887349f7277d54f08b489aa5906ec1113b589a4abdcb2a5aecea50af31bc80cb16dea203821ffdd06457820b9de0fa7efe21d64fe9d197768f8c4e822a7c36566e26996712c038ee29be8aedd0f0c97741259f9849a05d97abc6d9435344dd7b34daf4ce6b953b3de8c9e36f180a91493ed8c066ecf58517658b1a304f87a68eab1057a5ca48294354cb7e4483a1404421f6373cb8c94b54b63c0a728f8f1730631fc80bd7f8e9a9862097e542f06fbda87efb119c7e4977721b994cacd7b6f4b154863ae38c60f75820b8e1e6043dbc3c4f719a7c2cb30a73a8f448404c0bd1ab6b

$ openssl dgst -sha256 -sign ../certs/client-key.der -keyform DER -out sign.txt README.md
$./signature README.md 3 5 sign.txt
Signature Example: Sig=3, Hash=5
File README.md is 1763 bytes
File sign.txt is 256 bytes
RSA Key Size 2048
RSA Signature Data:
25 8A 16 77 60 E6 12 3A DB 91 CF F6 47 BD DA 66
90 64 46 AA A8 66 F9 08 FD CF EA 48 BB 33 88 73
49 F7 27 7D 54 F0 8B 48 9A A5 90 6E C1 11 3B 58
9A 4A BD CB 2A 5A EC EA 50 AF 31 BC 80 CB 16 DE
A2 03 82 1F FD D0 64 57 82 0B 9D E0 FA 7E FE 21
D6 4F E9 D1 97 76 8F 8C 4E 82 2A 7C 36 56 6E 26
99 67 12 C0 38 EE 29 BE 8A ED D0 F0 C9 77 41 25
9F 98 49 A0 5D 97 AB C6 D9 43 53 44 DD 7B 34 DA
F4 CE 6B 95 3B 3D E8 C9 E3 6F 18 0A 91 49 3E D8
C0 66 EC F5 85 17 65 8B 1A 30 4F 87 A6 8E AB 10
57 A5 CA 48 29 43 54 CB 7E 44 83 A1 40 44 21 F6
37 3C B8 C9 4B 54 B6 3C 0A 72 8F 8F 17 30 63 1F
C8 0B D7 F8 E9 A9 86 20 97 E5 42 F0 6F BD A8 7E
FB 11 9C 7E 49 77 72 1B 99 4C AC D7 B6 F4 B1 54
86 3A E3 8C 60 F7 58 20 B8 E1 E6 04 3D BC 3C 4F
71 9A 7C 2C B3 0A 73 A8 F4 48 40 4C 0B D1 AB 6B
RSA Signature Verification: Fail (-229)

But openssl can verity the signature with success
openssl dgst -sha256 -verify ../certs/client-keyPub.der -keyform DER -signature sign.txt README.md
Verified OK

Is there something I miss out?

Previously thanks for helping me out. I really appreciate that!
But there was a problem again. I am using DTLS. And I decided to change the cipher suite.

in wolfssl directory

./configure --enable-dtls --enable-ecc
make
sudo make install
sudo ldconfig

terminal1

./client-dtls 127.0.0.1

terminal2

./server-dtls
Socket allocated
Awaiting Client connection on port 11111
Connected!
error = -501, can't match cipher suite
SSL_accept failed.

code added to client-dtls.c

char*  cipher_suite = "ECDHE-ECDSA-AES128-GCM-SHA256";
wolfSSL_set_cipher_list(ssl, cipher_suite);

Here is the question. Why this cipher suite fails? By the way "ECDHE-RSA-AES128-GCM-SHA256"succeeds without problems. And "ECDHE-ECDSA-AES128-GCM-SHA256" was also on the cipher suites list of ClientHello.
It would be greatly appreciated if you could teach the problem. I am sorry that my English is so bad.

All of the samples of DTLS are based on socket. But there is no socket interface on Arduino. The only network API I can use is Client (or EthernetClient). How can I enable DTLS then? (By the way, the underlying UDP functionality works).
The title of this issue is not so accurate. I'm not focusing on Arduino though. I'm expecting DTLS over non-socket environment which is quite prevail on bare metal MCU development.

I want verify the certificate chain in sgx Enclave.And the client set the certificate chain with function , but when i call the function wolfSSL_X509_verify_cert to verify the certificate chain,it report " undefined reference to `wolfSSL_X509_verify_cert'",I checked the resource code, I find the function which named wolfSSL_X509_verify_cert need the macro “OPENSSL_EXTRA”。And I added the option "-DOPENSSL_EXTRA" to grenate libwolfssl.sgx.static.lib.a. I'm working on Linux ,so i find the sgx makefile wolfssl/IDE/LINUX-SGX/sgx_t_static.mk,and Look for the line: Wolfssl_C_Extra_Flags := -DWOLFSSL_SGX and add this below that line to gain access to the X509 API's, as flows:
Wolfssl_C_Extra_Flags := -DWOLFSSL_SGX
Wolfssl_C_Extra_Flags += -DOPENSSL_EXTRA

After changed sgx_t_static.mk,And i changed the file in "wolfssl-examples/SGX_Linux" which named sgx_t.mk,added "-DOPENSSL_EXTRA" to the variable Wolfssl_C_Extra_Flags, but when i make the file. it reported as flows:
/wolfssl/IDE/LINUX-SGX/libwolfssl.sgx.static.lib.a(ssl.o): In function wolfSSL_BIO_free': ssl.c:(.text+0x435b): undefined reference to close'
I checke the function wolfSSL_BIO_free in ssl.c ,as flows:
int wolfSSL_BIO_free(WOLFSSL_BIO* bio)
{
/* unchain?, doesn't matter in goahead since from free all /
WOLFSSL_ENTER("wolfSSL_BIO_free");
if (bio) {
/ remove from pair by setting the paired bios pair to NULL */
if (bio->pair != NULL) {
bio->pair->pair = NULL;
}

        if (bio->close) {
            if (bio->ssl)
                wolfSSL_free(bio->ssl);
            if (bio->fd)
                CloseSocket(bio->fd);
        }

    #ifndef NO_FILESYSTEM
        if (bio->type == BIO_FILE && bio->close == BIO_CLOSE) {
            if (bio->file) {
                XFCLOSE(bio->file);
            }
        }
    #endif

        if (bio->mem)
            XFREE(bio->mem, bio->heap, DYNAMIC_TYPE_OPENSSL);
        XFREE(bio, bio->heap, DYNAMIC_TYPE_OPENSSL);
    }
    return 0;
}

the "close" is one property of the structure WOLFSSL_BIO which in internal.h,as flows:

/* wolfSSL BIO type /
struct WOLFSSL_BIO {
WOLFSSL ssl; /* possible associated ssl /
#ifndef NO_FILESYSTEM
XFILE file;
#endif
WOLFSSL_BIO prev; /* previous in chain /
WOLFSSL_BIO next; /* next in chain /
WOLFSSL_BIO pair; /* BIO paired with /
void heap; /* user heap hint /
byte mem; /* memory buffer /
int wrSz; / write buffer size (mem) /
int wrIdx; / current index for write buffer /
int rdIdx; / current read index /
int readRq; / read request /
int memLen; / memory buffer length /
int fd; / possible file descriptor /
int eof; / eof flag /
byte type; / method type */
byte close; / close flag /
};

No other problems can be seen.how can i resolve this problem?please give me some help.thaks a lot

To whom it may concern,

Ecall function "enc_wolfSSL_CTX_use_certificate_buffer" and its EDL definition have potential vulnerability due to incomplete boundary check of input pointer 'WOLFSSL_CTX* ctx' which can be hijacked.

In short words, function like "enc_wolfSSL_CTX_use_certificate_buffer" consume pointer 'WOLFSSL_CTX* ctx' without thorough check of its members. E.g., ctx->heap can be modified pointing to untrusted zone while ctx can still pass the current sgx boundary check and get consumed by corresponding functions.

In detail, function ProcessBuffer inside wolfssl/ssl.c allocate heap using function "wolfSSL_CTX_GetHeap(ctx, ssl)". Yet, current boundary check will miss faked "WOLFSSL_CTX* ctx_malicious" which might have allocated the "heap" outside of enclave. In such case, all secret will be visible from outside of SGX whose security promise is completely broken in this application.

Please feel free to contact me about this issue, we have POC proving this idea. We are willing to discuss how to mitigate this issue.

Best regards,

W

Hi,

I have tested the tls server (server-dtls.c) and when I send messages with the client (client-dtls.c) I receive the server's responses perfectly.

But now I am testing the server with threads (server-dtls-threaded.c) and I am not receiving any response in the clients (client-dtls.c or client-dtls-shared.c)

The server is able to receive connections from multiple clients, because everytime I try to connnect I see these messages:

Connected!
control passed to ThreadControl.

But, when the method "ThreadControl" is called, the execution of the code stops and I did not receive anything from the client. I have added two prints (Step1 and Step2) and the first one is only printed. I understand that the problem is in the function "wolfSSL_accept(ssl)" but I don't understand why since this same function is used on the server without threads and it does work well for me:

    printf("Step 1.\n");

    if (wolfSSL_accept(ssl) != SSL_SUCCESS) {
        
        printf("Error.\n");

        e = wolfSSL_get_error(ssl, 0);

        printf("error = %d, %s\n", e, wolfSSL_ERR_reason_error_string(e));
        printf("SSL_accept failed.\n");
        return NULL;
    }
    
    printf("Step 2.\n");

    if (wolfSSL_write(ssl, ack, sizeof(ack)) < 0) {
        printf("wolfSSL_write fail.\n");
        cleanup = 1;
        return NULL;
    }
    else {
        printf("Sending reply.\n");
    }

Thank you very much for your help in advance

I am not able to build the SGX example:

roshan@bolt:~/wolfssl/wolfssl-examples/SGX_Linux$ make SGX_MODE=SIM SGX_PRERELEASE=0 SGX_WOLFSSL_LIB=~/wolfssl/IDE/LINUX-SGX/ WOLFSSL_ROOT=../../wolfssl SGX_DEBUG=0
make -ef sgx_u.mk all
make[1]: Entering directory '/home/roshan/wolfssl/wolfssl-examples/SGX_Linux'
make[1]: *** No rule to make target '/bin/x64/sgx_edger8r', needed by 'untrusted/Wolfssl_Enclave_u.c'.  Stop.
make[1]: Leaving directory '/home/roshan/wolfssl/wolfssl-examples/SGX_Linux'
Makefile:13: recipe for target 'all' failed
make: *** [all] Error 2

I have not touched the any of the makefile.

Dear maintainers,

While playing with the TLS examples, I realized that since today, some certificates have expired. This is notably the case of ca-ecc-cert.pem, with an expiration date set to: Mar 16 13:23:41 2023 GMT.

Could you please have a look to the TLS certificates and regenerate them?

Thanks!
Cheers

Hi

I copied the content of certloadverifybuffer.c into my STM32L432KC-Project (Embedded System without OS nor FileSystem).

But always when i call one of the two wolfSSL_CertManagerVerifyBuffer()-Functions, it doesnt work and gives the following answer back: "ASN sig error, confirm failure"

But i also copied the three certificates, you provided within this file, so could you please check, if the code works still fine in your environment. If yes, there must be something in my environment, even if i cannot imagine what it could be.

Would very looking forward to hearing from you.

Best Regards
Heinz Hofmann

My Main-File (interesting content is in function "doCertificateStuff"):
main.zip

See wolfSSL/wolfssl#6018

See wolfSSL/wolfssl#6234 for a roadmap of Espressif updates.