How much memory is required to enable tls?

Tip / Sign in to post questions, reply, level up, and achieve exciting badges. Know more

cross mob
Anonymous
Not applicable

I'm testing https for my application and I found http works but https fails.

The error is:

wiced_tcp_connect returns 1.

which is because wiced_tcp_start_tls returns 1.

which is because

    wiced_tcp_start_tls

    -> wiced_tcp_start_tls_with_ciphers

    -> ssl_handshake_client_async returns 1.

I remove some features in my application at compiler time and then https works.

It seems tls takes extra memory to work.

How much extra free memory is required to enable tls?

0 Likes
20 Replies
Anonymous
Not applicable

I sometimes got wiced_tcp_connect() result=64449

It's because ssl_handshake_client_async() returns 64449.

What is the meaning of this error code.

0 Likes

Hi Sam,

Could you double-check if the result is 64449? Here's a list of the TLS result errors. Hope this helps.

Regards,

Jaeyoung

    TLS_SUCCESS = (0),   /**<   */ \

    TLS_TIMEOUT = (2),   /**<   */ \

    TLS_RECEIVE_FAILED = (5001),   /**<   */ \

    TLS_ALERT_NO_CERTIFICATE = (5002),   /**<   */ \

    TLS_ERROR_OUT_OF_MEMORY = (5003),   /**<   */ \

    TLS_ERROR_FEATURE_UNAVAILABLE = (5004),   /**<   */ \

    TLS_ERROR_BAD_INPUT_DATA = (5005),   /**<   */ \

    TLS_ERROR_INVALID_MAC = (5006),   /**<   */ \

    TLS_ERROR_INVALID_RECORD = (5007),   /**<   */ \

    TLS_ERROR_INVALID_MODULUS_SIZE = (5008),   /**<   */ \

    TLS_ERROR_UNKNOWN_CIPHER = (5009),   /**<   */ \

    TLS_ERROR_NO_CIPHER_CHOSEN = (5010),   /**<   */ \

    TLS_ERROR_NO_SESSION_FOUND = (5011),   /**<   */ \

    TLS_ERROR_NO_CLIENT_CERTIFICATE = (5012),   /**<   */ \

    TLS_ERROR_CERTIFICATE_TOO_LARGE = (5013),   /**<   */ \

    TLS_ERROR_CERTIFICATE_REQUIRED = (5014),   /**<   */ \

    TLS_ERROR_PRIVATE_KEY_REQUIRED = (5015),   /**<   */ \

    TLS_ERROR_CA_CHAIN_REQUIRED = (5016),   /**<   */ \

    TLS_ERROR_UNEXPECTED_MESSAGE = (5017),   /**<   */ \

    TLS_ERROR_FATAL_ALERT_MESSAGE = (5018),   /**<   */ \

    TLS_ERROR_PEER_VERIFY_FAILED = (5019),   /**<   */ \

    TLS_ERROR_PEER_CLOSE_NOTIFY = (5020),   /**<   */ \

    TLS_ERROR_BAD_HS_CLIENT_HELLO = (5021),   /**<   */ \

    TLS_ERROR_BAD_HS_SERVER_HELLO = (5022),   /**<   */ \

    TLS_ERROR_BAD_HS_CERTIFICATE = (5023),   /**<   */ \

    TLS_ERROR_BAD_HS_CERTIFICATE_REQUEST = (5024),   /**<   */ \

    TLS_ERROR_BAD_HS_SERVER_KEY_EXCHANGE = (5025),   /**<   */ \

    TLS_ERROR_BAD_HS_SERVER_HELLO_DONE = (5026),   /**<   */ \

    TLS_ERROR_BAD_HS_CLIENT_KEY_EXCHANGE = (5027),   /**<   */ \

    TLS_ERROR_BAD_HS_CERTIFICATE_VERIFY = (5028),   /**<   */ \

    TLS_ERROR_BAD_HS_CHANGE_CIPHER_SPEC = (5029),   /**<   */ \

    TLS_ERROR_BAD_HS_FINISHED = (5030),   /**<   */ \

    TLS_HANDSHAKE_TIMEOUT = (5031),   /**<   */ \

    TLS_HANDSHAKE_ERROR = (5032),   /**<   */ \

    TLS_INIT_FAIL = (5033),   /**<   */ \

    TLS_BAD_MESSAGE = (5034),   /**<   */ \

    TLS_UNTRUSTED_CERTIFICATE = (5035),   /**<   */ \

    TLS_EXPIRED_CERTIFICATE = (5036),   /**<   */ \

    TLS_CERTIFICATE_NAME_MISMATCH = (5037),   /**<   */ \

    TLS_ERROR_DECRYPTION_FAIL = (5038),   /**<   */ \

    TLS_ERROR_ENCRYPTION_FAIL = (5039),   /**<   */ \

    TLS_ERROR_HMAC_CHECK_FAIL = (5040),   /**<   */ \

    TLS_CERTIFICATE_REVOKED = (5041),   /**<   */ \

    TLS_NO_DATA = (5042),   /**<   */ \

    TLS_ERROR_UNSUPPORTED_EXTENSION = (5043),

0 Likes
Anonymous
Not applicable

Here is how I got the result, and it's 64449.

In wiced_tcp_start_tls_with_ciphers():

             result = ssl_handshake_client_async( &tls_context->context );

             if ( result != TLS_SUCCESS )

             {

printf("handshake result=%u\r\n", result);

                 WPRINT_SECURITY_INFO(( "Error with TLS handshake\n" ));

                 goto exit_with_inited_context;

             }

0 Likes
Anonymous
Not applicable

Hi jaeyoung,

I complete lost here as we don't have the code to trace this issue.

The first time calling ssl_handshake_client_async() returns 64449.

Then all ssl_handshake_client_async() calls return 1.

Any comments?

0 Likes
Anonymous
Not applicable

Just to update this issue:

I don't provide root ca, so I'm using SSL_VERIFY_NONE.

My previous comment only shows the first error return by ssl_handshake_client_async().

I just notice below behavior when calling wiced_tcp_start_tls_with_ciphers():

wiced_tcp_start_tls_with_ciphers() has a do-while loop, so I actually got is:

ssl_handshake_client_async() returns 0.

ssl_handshake_client_async() returns 0.

ssl_handshake_client_async() returns 0.

ssl_handshake_client_async() returns 0.

ssl_handshake_client_async() returns 0xFBC1 (It's 64449).

And then next time calling wiced_tcp_start_tls_with_ciphers(), I got:

ssl_handshake_client_async() returns 0.

ssl_handshake_client_async() returns 0.

ssl_handshake_client_async() returns 0.

ssl_handshake_client_async() returns 1.

The same pattern every time I reboot and re-test.

0 Likes
Anonymous
Not applicable

This might be memory issue.

ssl_handshake_client_async() error might be an OOM.

From my observation, wiced_tcp_start_tls with SSL_VERIFY_NONE will take

at least 10K+ memory which is pretty big for some platforms.

So that is exactly the initial question of this thread, how much memory is

required to enable tls?

0 Likes

Hi,

You can find the information when you compile your app. It will be under "Supplicant - BESL".

Thanks,

Jaeyoung

tls_memory.PNG

0 Likes
Anonymous
Not applicable

I know that.

What I want to know is the dynamically allocated memory which is allocated by malloc.

If start tls also start another thread, I'd like to know the stack size as well.

0 Likes
Anonymous
Not applicable

Now I can reproduce the 64449 error code and 5003 error with a modified

https_get snip code.

Whatever I did is just add a big array and test https_get with below link:

https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.2.1

It's fine if I add 30K array.

If I add 50K array, I got result=5003.

If I add 60K array, I got result=64449.

Adding a big array is just to simulate a bigger firmware that takes more

memory. I think even I add 50K array in the snip code, I still have 100k+

free memory available. So I have no idea why I got OOM and https_get fails.

The 5003 error is returned from tls_get_next_record().

Anonymous
Not applicable

Any fix for this? Seems to be related to ssl_handshake_client_async()  returns OUT_OF_MEMORY error.?

0 Likes
Anonymous
Not applicable

We don't get any fix so this is still an issue for us.

I remember someone replied in other thread that https issue might be fixed

in newer SDK, but the situation is we have product in production stage

with SDK-3.1.2. So we need the fix for SDK-3.1.2.

0 Likes
Anonymous
Not applicable

I still got 5003 error in SDK-3.5.1 with the same test (trying to download a 132k file).

The first error is tls_get_next_record() returns 5003

So back to my original question:

How much memory is required to enable TLS? Is there any limitation?

0 Likes

Hi Sam and Broadcom team,

I also got return code 1 (but only code 1, there is not other error code in my case), but I found that it seems to be related to CA information.

I tried to use a CA without adding "*." in RelativeDistinguishedName item for id 'id-at-commonName', then it works without returning error code. So, it was not a memory related issue from my case.

I still don't know why there is any relationship between ssl_handshake_client_async and certificate file during TLS handshaking.

May you have comment on my finding?

0 Likes

BTW, I've already choose TLS_NO_VERIFICATION for this case.

0 Likes

Hi Sam and Broadcom team,

  It seemed to be the issue of *pre-alloc memory* for certificate file.

  I've done test to trim down the certificate file size, then it works without returning error code 1.

  mwf_mmfae​, would Broadcom be possible to provide the limitation of buffer size that used for TLS handshaking?

0 Likes
Anonymous
Not applicable

TLS does require a significant amount of memory (> 10KB) on the heap

In order to check the amount of free memory in your runtime you can add the following print at any point in your code to check for the amount of memory being used -

    volatile struct mallinfo mi = mallinfo( );

    printf( "malloc_info {\r\n"

            "\tarena:   \t%5d;\t/* total space allocated from system */\r\n"

            "\tordblks: \t%5d;\t/* number of non-inuse chunks */\r\n"

            "\tsmblks:  \t%5d;\t/* unused -- always zero */\r\n"

            "\thblks:   \t%5d;\t/* number of mmapped regions */\r\n"

            "\thblkhd:  \t%5d;\t/* total space in mmapped regions */\r\n"

            "\tusmblks: \t%5d;\t/* unused -- always zero */\r\n"

            "\tfsmblks: \t%5d;\t/* unused -- always zero */\r\n"

            "\tuordblks:\t%5d;\t/* total allocated space */\r\n"

            "\tfordblks:\t%5d;\t/* total non-inuse space */\r\n"

            "\tkeepcost:\t%5d;\t/* top-most, releasable (via malloc_trim) space */\r\n"

            "};\r\n",

            mi.arena,

            mi.ordblks,

            mi.smblks,

            mi.hblks,

            mi.hblkhd,

            mi.usmblks,

            mi.fsmblks,

            mi.uordblks,

            mi.fordblks,

            mi.keepcost );

0 Likes
Anonymous
Not applicable

Hi nsankar,

I got below output on a BCM4390 device running FreeRTOS+LwIP,

but I got confused about these values:

arena:62920 ordblks:    6 smblks:    0 hblks:    0 hblkhd    0 usmblks:    0 fsmblks:    0 uordblks:57120 fordblks:5800 keepcost:4256

Could you explain a bit about how to interpret the mallinfo output?

0 Likes

nsankar wrote:

TLS does require a significant amount of memory (> 10KB) on the heap

In order to check the amount of free memory in your runtime you can add the following print at any point in your code to check for the amount of memory being used -

    volatile struct mallinfo mi = mallinfo( );

Hi nsankar

Knowing enable TLS will take more than 10K memory is not enough.

People needs to know the *maximum* memory required for enabling TLS per

session. It would be good if Broadcom can provide document about this.

Thanks.

0 Likes
lock attach
Attachments are accessible only for community members.

Hi Broadcom team, nsankarmwf_mmfae

Would you explain my test result based on snip.https_client as below?

The code memory information is as below:

platform is based on BCM943341WCD1 (STM32F417, RAM: 128 + 64 (CCM))

----------------------------------|---------|---------|

                                  |         |  Static |

              Module              |  Flash  |   RAM   |

----------------------------------+---------+---------|

App                               |    1009 |    2048 |

base64                            |     519 |       0 |

crypto_open                       |   50177 |       0 |

DHCP_Server                       |    1590 |     132 |

DNS                               |    1536 |      44 |

FreeRTOS                          |    4923 |     416 |

Host MCU-family library           |   12132 |    2400 |

HTTP_client                       |     554 |       0 |

Interrupt Vectors                 |     388 |       0 |

libc                              |   33267 |    3132 |

LwIP                              |   27520 |    2107 |

Networking                        |    4013 |     336 |

Packet Buffers                    |       0 |   26724 |

platform                          |    1136 |      92 |

RAM Initialisation                |    2476 |       0 |

resources                         |      16 |       0 |

Ring_Buffer                       |      92 |       0 |

Startup Stack & Link Script fill  |      58 |      29 |

Supplicant - BESL                 |   15487 |     504 |

Wi-Fi Firmware                    |  370096 |       0 |

WICED                             |    3900 |     100 |

WWD                               |   11799 |     176 |

----------------------------------+---------+---------|

TOTAL (bytes)                     |  540212 |   38240 |

----------------------------------|---------|---------|

1. Information from mallinfo before running HTTPS GET request to www.google.com

malloc_info {

arena:   23196;/* total space allocated from system */

ordblks:     1;/* number of non-inuse chunks */

smblks:      0;/* unused -- always zero */

hblks:       0;/* number of mmapped regions */

hblkhd:      0;/* total space in mmapped regions */

usmblks:     0;/* unused -- always zero */

fsmblks:     0;/* unused -- always zero */

uordblks:22076;/* total allocated space */

fordblks: 1120;/* total non-inuse space */

keepcost: 1120;/* top-most, releasable (via malloc_trim) space */

};

2. Information from mallinfo *AFTER* consequence of calls to http_stream_* APIs

malloc_info {

arena:   39580;/* total space allocated from system */

ordblks:     1;/* number of non-inuse chunks */

smblks:      0;/* unused -- always zero */

hblks:       0;/* number of mmapped regions */

hblkhd:      0;/* total space in mmapped regions */

usmblks:     0;/* unused -- always zero */

fsmblks:     0;/* unused -- always zero */

uordblks:22076;/* total allocated space */

fordblks:17504;/* total non-inuse space */

keepcost:17504;/* top-most, releasable (via malloc_trim) space */

};

3. Running HTTPS GET request iteratively with additional 1000 bytes memory allocation in each round will cause *networking thread* blocked forever without returning error cause to application.

More specifically, following questions are waiting from your specialist:

1. What's exactly memory needed for TLS library provided by WICED platform? What would you expect your customer to take care of answer *10k+*?

2. Is there any dependency of the certification file provided by target site that going to visit to the memory usage required by TLS library?

3. Do TLS library handle the memory limitation correctly and provide corresponding error code to application layer without blocking the caller infinitely?

This test is based on the modification of https_client.c, you can download it from the attachment.

Anonymous
Not applicable

Have you considered looking at ZentriOS - it automates much of the memory management concerns you refer to?

ACKme Networks

If you want to use an EXTERNAL microcontroller

https://docs.zentri.com/wifi/cmd/latest/search?q=memory

https://docs.zentri.com/wifi/cmd/latest/search?q=tls

If your want to use the INTERNAL microcontroller

https://docs.zentri.com/wifi/sdk/latest/search?q=memory

https://docs.zentri.com/wifi/sdk/latest/search?q=tls