- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm testing https for my application and I found http works but https fails.
The error is:
wiced_tcp_connect returns 1.
which is because wiced_tcp_start_tls returns 1.
which is because
wiced_tcp_start_tls
-> wiced_tcp_start_tls_with_ciphers
-> ssl_handshake_client_async returns 1.
I remove some features in my application at compiler time and then https works.
It seems tls takes extra memory to work.
How much extra free memory is required to enable tls?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I sometimes got wiced_tcp_connect() result=64449
It's because ssl_handshake_client_async() returns 64449.
What is the meaning of this error code.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Sam,
Could you double-check if the result is 64449? Here's a list of the TLS result errors. Hope this helps.
Regards,
Jaeyoung
TLS_SUCCESS = (0), /**< */ \
TLS_TIMEOUT = (2), /**< */ \
TLS_RECEIVE_FAILED = (5001), /**< */ \
TLS_ALERT_NO_CERTIFICATE = (5002), /**< */ \
TLS_ERROR_OUT_OF_MEMORY = (5003), /**< */ \
TLS_ERROR_FEATURE_UNAVAILABLE = (5004), /**< */ \
TLS_ERROR_BAD_INPUT_DATA = (5005), /**< */ \
TLS_ERROR_INVALID_MAC = (5006), /**< */ \
TLS_ERROR_INVALID_RECORD = (5007), /**< */ \
TLS_ERROR_INVALID_MODULUS_SIZE = (5008), /**< */ \
TLS_ERROR_UNKNOWN_CIPHER = (5009), /**< */ \
TLS_ERROR_NO_CIPHER_CHOSEN = (5010), /**< */ \
TLS_ERROR_NO_SESSION_FOUND = (5011), /**< */ \
TLS_ERROR_NO_CLIENT_CERTIFICATE = (5012), /**< */ \
TLS_ERROR_CERTIFICATE_TOO_LARGE = (5013), /**< */ \
TLS_ERROR_CERTIFICATE_REQUIRED = (5014), /**< */ \
TLS_ERROR_PRIVATE_KEY_REQUIRED = (5015), /**< */ \
TLS_ERROR_CA_CHAIN_REQUIRED = (5016), /**< */ \
TLS_ERROR_UNEXPECTED_MESSAGE = (5017), /**< */ \
TLS_ERROR_FATAL_ALERT_MESSAGE = (5018), /**< */ \
TLS_ERROR_PEER_VERIFY_FAILED = (5019), /**< */ \
TLS_ERROR_PEER_CLOSE_NOTIFY = (5020), /**< */ \
TLS_ERROR_BAD_HS_CLIENT_HELLO = (5021), /**< */ \
TLS_ERROR_BAD_HS_SERVER_HELLO = (5022), /**< */ \
TLS_ERROR_BAD_HS_CERTIFICATE = (5023), /**< */ \
TLS_ERROR_BAD_HS_CERTIFICATE_REQUEST = (5024), /**< */ \
TLS_ERROR_BAD_HS_SERVER_KEY_EXCHANGE = (5025), /**< */ \
TLS_ERROR_BAD_HS_SERVER_HELLO_DONE = (5026), /**< */ \
TLS_ERROR_BAD_HS_CLIENT_KEY_EXCHANGE = (5027), /**< */ \
TLS_ERROR_BAD_HS_CERTIFICATE_VERIFY = (5028), /**< */ \
TLS_ERROR_BAD_HS_CHANGE_CIPHER_SPEC = (5029), /**< */ \
TLS_ERROR_BAD_HS_FINISHED = (5030), /**< */ \
TLS_HANDSHAKE_TIMEOUT = (5031), /**< */ \
TLS_HANDSHAKE_ERROR = (5032), /**< */ \
TLS_INIT_FAIL = (5033), /**< */ \
TLS_BAD_MESSAGE = (5034), /**< */ \
TLS_UNTRUSTED_CERTIFICATE = (5035), /**< */ \
TLS_EXPIRED_CERTIFICATE = (5036), /**< */ \
TLS_CERTIFICATE_NAME_MISMATCH = (5037), /**< */ \
TLS_ERROR_DECRYPTION_FAIL = (5038), /**< */ \
TLS_ERROR_ENCRYPTION_FAIL = (5039), /**< */ \
TLS_ERROR_HMAC_CHECK_FAIL = (5040), /**< */ \
TLS_CERTIFICATE_REVOKED = (5041), /**< */ \
TLS_NO_DATA = (5042), /**< */ \
TLS_ERROR_UNSUPPORTED_EXTENSION = (5043),
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here is how I got the result, and it's 64449.
In wiced_tcp_start_tls_with_ciphers():
result = ssl_handshake_client_async( &tls_context->context );
if ( result != TLS_SUCCESS )
{
printf("handshake result=%u\r\n", result);
WPRINT_SECURITY_INFO(( "Error with TLS handshake\n" ));
goto exit_with_inited_context;
}
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi jaeyoung,
I complete lost here as we don't have the code to trace this issue.
The first time calling ssl_handshake_client_async() returns 64449.
Then all ssl_handshake_client_async() calls return 1.
Any comments?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just to update this issue:
I don't provide root ca, so I'm using SSL_VERIFY_NONE.
My previous comment only shows the first error return by ssl_handshake_client_async().
I just notice below behavior when calling wiced_tcp_start_tls_with_ciphers():
wiced_tcp_start_tls_with_ciphers() has a do-while loop, so I actually got is:
ssl_handshake_client_async() returns 0.
ssl_handshake_client_async() returns 0.
ssl_handshake_client_async() returns 0.
ssl_handshake_client_async() returns 0.
ssl_handshake_client_async() returns 0xFBC1 (It's 64449).
And then next time calling wiced_tcp_start_tls_with_ciphers(), I got:
ssl_handshake_client_async() returns 0.
ssl_handshake_client_async() returns 0.
ssl_handshake_client_async() returns 0.
ssl_handshake_client_async() returns 1.
The same pattern every time I reboot and re-test.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This might be memory issue.
ssl_handshake_client_async() error might be an OOM.
From my observation, wiced_tcp_start_tls with SSL_VERIFY_NONE will take
at least 10K+ memory which is pretty big for some platforms.
So that is exactly the initial question of this thread, how much memory is
required to enable tls?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
You can find the information when you compile your app. It will be under "Supplicant - BESL".
Thanks,
Jaeyoung
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I know that.
What I want to know is the dynamically allocated memory which is allocated by malloc.
If start tls also start another thread, I'd like to know the stack size as well.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Now I can reproduce the 64449 error code and 5003 error with a modified
https_get snip code.
Whatever I did is just add a big array and test https_get with below link:
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.2.1
It's fine if I add 30K array.
If I add 50K array, I got result=5003.
If I add 60K array, I got result=64449.
Adding a big array is just to simulate a bigger firmware that takes more
memory. I think even I add 50K array in the snip code, I still have 100k+
free memory available. So I have no idea why I got OOM and https_get fails.
The 5003 error is returned from tls_get_next_record().
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We don't get any fix so this is still an issue for us.
I remember someone replied in other thread that https issue might be fixed
in newer SDK, but the situation is we have product in production stage
with SDK-3.1.2. So we need the fix for SDK-3.1.2.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I still got 5003 error in SDK-3.5.1 with the same test (trying to download a 132k file).
The first error is tls_get_next_record() returns 5003
So back to my original question:
How much memory is required to enable TLS? Is there any limitation?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Sam and Broadcom team,
I also got return code 1 (but only code 1, there is not other error code in my case), but I found that it seems to be related to CA information.
I tried to use a CA without adding "*." in RelativeDistinguishedName item for id 'id-at-commonName', then it works without returning error code. So, it was not a memory related issue from my case.
I still don't know why there is any relationship between ssl_handshake_client_async and certificate file during TLS handshaking.
May you have comment on my finding?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
BTW, I've already choose TLS_NO_VERIFICATION for this case.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Sam and Broadcom team,
It seemed to be the issue of *pre-alloc memory* for certificate file.
I've done test to trim down the certificate file size, then it works without returning error code 1.
mwf_mmfae, would Broadcom be possible to provide the limitation of buffer size that used for TLS handshaking?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
TLS does require a significant amount of memory (> 10KB) on the heap
In order to check the amount of free memory in your runtime you can add the following print at any point in your code to check for the amount of memory being used -
volatile struct mallinfo mi = mallinfo( );
printf( "malloc_info {\r\n"
"\tarena: \t%5d;\t/* total space allocated from system */\r\n"
"\tordblks: \t%5d;\t/* number of non-inuse chunks */\r\n"
"\tsmblks: \t%5d;\t/* unused -- always zero */\r\n"
"\thblks: \t%5d;\t/* number of mmapped regions */\r\n"
"\thblkhd: \t%5d;\t/* total space in mmapped regions */\r\n"
"\tusmblks: \t%5d;\t/* unused -- always zero */\r\n"
"\tfsmblks: \t%5d;\t/* unused -- always zero */\r\n"
"\tuordblks:\t%5d;\t/* total allocated space */\r\n"
"\tfordblks:\t%5d;\t/* total non-inuse space */\r\n"
"\tkeepcost:\t%5d;\t/* top-most, releasable (via malloc_trim) space */\r\n"
"};\r\n",
mi.arena,
mi.ordblks,
mi.smblks,
mi.hblks,
mi.hblkhd,
mi.usmblks,
mi.fsmblks,
mi.uordblks,
mi.fordblks,
mi.keepcost );
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi nsankar,
I got below output on a BCM4390 device running FreeRTOS+LwIP,
but I got confused about these values:
arena:62920 ordblks: 6 smblks: 0 hblks: 0 hblkhd 0 usmblks: 0 fsmblks: 0 uordblks:57120 fordblks:5800 keepcost:4256
Could you explain a bit about how to interpret the mallinfo output?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
nsankar wrote:
TLS does require a significant amount of memory (> 10KB) on the heap
In order to check the amount of free memory in your runtime you can add the following print at any point in your code to check for the amount of memory being used -
volatile struct mallinfo mi = mallinfo( );
Hi nsankar
Knowing enable TLS will take more than 10K memory is not enough.
People needs to know the *maximum* memory required for enabling TLS per
session. It would be good if Broadcom can provide document about this.
Thanks.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Broadcom team, nsankar mwf_mmfae
Would you explain my test result based on snip.https_client as below?
The code memory information is as below:
platform is based on BCM943341WCD1 (STM32F417, RAM: 128 + 64 (CCM))
----------------------------------|---------|---------|
| | Static |
Module | Flash | RAM |
----------------------------------+---------+---------|
App | 1009 | 2048 |
base64 | 519 | 0 |
crypto_open | 50177 | 0 |
DHCP_Server | 1590 | 132 |
DNS | 1536 | 44 |
FreeRTOS | 4923 | 416 |
Host MCU-family library | 12132 | 2400 |
HTTP_client | 554 | 0 |
Interrupt Vectors | 388 | 0 |
libc | 33267 | 3132 |
LwIP | 27520 | 2107 |
Networking | 4013 | 336 |
Packet Buffers | 0 | 26724 |
platform | 1136 | 92 |
RAM Initialisation | 2476 | 0 |
resources | 16 | 0 |
Ring_Buffer | 92 | 0 |
Startup Stack & Link Script fill | 58 | 29 |
Supplicant - BESL | 15487 | 504 |
Wi-Fi Firmware | 370096 | 0 |
WICED | 3900 | 100 |
WWD | 11799 | 176 |
----------------------------------+---------+---------|
TOTAL (bytes) | 540212 | 38240 |
----------------------------------|---------|---------|
1. Information from mallinfo before running HTTPS GET request to www.google.com
malloc_info {
arena: 23196;/* total space allocated from system */
ordblks: 1;/* number of non-inuse chunks */
smblks: 0;/* unused -- always zero */
hblks: 0;/* number of mmapped regions */
hblkhd: 0;/* total space in mmapped regions */
usmblks: 0;/* unused -- always zero */
fsmblks: 0;/* unused -- always zero */
uordblks:22076;/* total allocated space */
fordblks: 1120;/* total non-inuse space */
keepcost: 1120;/* top-most, releasable (via malloc_trim) space */
};
2. Information from mallinfo *AFTER* consequence of calls to http_stream_* APIs
malloc_info {
arena: 39580;/* total space allocated from system */
ordblks: 1;/* number of non-inuse chunks */
smblks: 0;/* unused -- always zero */
hblks: 0;/* number of mmapped regions */
hblkhd: 0;/* total space in mmapped regions */
usmblks: 0;/* unused -- always zero */
fsmblks: 0;/* unused -- always zero */
uordblks:22076;/* total allocated space */
fordblks:17504;/* total non-inuse space */
keepcost:17504;/* top-most, releasable (via malloc_trim) space */
};
3. Running HTTPS GET request iteratively with additional 1000 bytes memory allocation in each round will cause *networking thread* blocked forever without returning error cause to application.
More specifically, following questions are waiting from your specialist:
1. What's exactly memory needed for TLS library provided by WICED platform? What would you expect your customer to take care of answer *10k+*?
2. Is there any dependency of the certification file provided by target site that going to visit to the memory usage required by TLS library?
3. Do TLS library handle the memory limitation correctly and provide corresponding error code to application layer without blocking the caller infinitely?
This test is based on the modification of https_client.c, you can download it from the attachment.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you considered looking at ZentriOS - it automates much of the memory management concerns you refer to?
If you want to use an EXTERNAL microcontroller
https://docs.zentri.com/wifi/cmd/latest/search?q=memory
https://docs.zentri.com/wifi/cmd/latest/search?q=tls
If your want to use the INTERNAL microcontroller