1 (edited by akhi_gangwar 2020-08-21 04:26:36)

Topic: Error while using cert and key of 4096 bits public key

Hi All,
I am using TI RTOS and wolfssl for tm4c129encpdt microcontroller.
I am using wolfssl while doing HTTPS and FTPS. So far, I have been using the 2048 key size. Everything was working fine.
Then, for FTPS, I had cert and key of key size 4096 bits and I started getting the errors while handshaking.
This the log -

    
wolfSSL Entering wolfSSL_recv()
wolfSSL Entering wolfSSL_read()
wolfSSL Entering wolfSSL_read_internal()
wolfSSL Entering ReceiveData()
Handshake not complete, trying to finish
wolfSSL Entering wolfSSL_negotiate
wolfSSL Entering SSL_connect()
growing output buffer

Shrinking output buffer

connect state: CLIENT_HELLO_SENT
growing input buffer

received record layer msg
wolfSSL Entering DoHandShakeMsg()
wolfSSL Entering DoHandShakeMsgType
processing server hello
wolfSSL Entering VerifyClientSuite
wolfSSL Leaving DoHandShakeMsgType(), return 0
wolfSSL Leaving DoHandShakeMsg(), return 0
growing input buffer

received record layer msg
wolfSSL Entering DoHandShakeMsg()
wolfSSL Entering DoHandShakeMsgType
processing certificate
Loading peer's cert chain
    Put another cert into chain
Verifying Peer's cert
wolfSSL Entering GetExplicitVersion
wolfSSL Entering GetMyVersion
Got Cert Header
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Algo ID
Getting Cert Name
Getting Cert Name
Got Subject Name
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Key
Parsed Past Key
wolfSSL Entering DecodeCertExtensions
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeBasicCaConstraint
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeSubjKeyId
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeAuthKeyId
wolfSSL Entering GetObjectId()
wolfSSL Entering DecodeKeyUsage
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
About to verify certificate signature
RSA_FUNCTION MP_EXPTMOD_E: memory/config problem
Rsa SSL verify error
Confirm signature failed
Failed to verify Peer's cert
    No callback override available, fatal
wolfSSL Leaving DoHandShakeMsgType(), return -155
wolfSSL Leaving DoHandShakeMsg(), return -155
wolfSSL error occured, error = -155
wolfSSL Leaving wolfSSL_negotiate, return -1
wolfSSL Leaving wolfSSL_read_internal(), return -1
wolfSSL Leaving wolfSSL_recv(), return -1
wolfSSL Entering SSL_get_error
wolfSSL Leaving SSL_get_error, return -155

My settings are like this -

#ifdef WOLFSSL_TIRTOS
    #define SIZEOF_LONG_LONG 8
    #define NO_WRITEV
    #define NO_WOLFSSL_DIR
    #define USE_FAST_MATH
    #define TFM_TIMING_RESISTANT
    #define NO_DEV_RANDOM
    #define NO_FILESYSTEM
    #define USE_CERT_BUFFERS_2048
    #define NO_ERROR_STRINGS
    #define USER_TIME
    #define HAVE_ECC

    #ifdef __IAR_SYSTEMS_ICC__
        #pragma diag_suppress=Pa089
    #elif !defined(__GNUC__)
        /* Suppress the sslpro warning */
        #pragma diag_suppress=11
    #endif

    #include <ti/sysbios/hal/Seconds.h>
#endif

For 2048 key size, everything is working and when I use 4096 key size, I started getting errors.
For experiment purposes, I commented on the USE_FAST_MATH and it worked fine in that case.

What is this issue? And, how to resolve it without commenting on the USE-FAST_MATH because commenting this is increasing the stack usage of my task and I don't want that.

I tried to increase the FP_MAX_BITS from 4096 to 8192 but then my 2048 bit certificate has also stopped working

Thanks

Share

Re: Error while using cert and key of 4096 bits public key

Hi akhi_gangwar,

That sounds like a stack issue. The fast math option uses stack for the math variables. Setting the FP_MAX_BITS to 8192 is correct (double max key size). But you'll also need to make sure your task or linker script increases the allowed / reserved stack space. By disabling fast math it uses heap. The normal math is slower because of the extra malloc/free calls.

You might also try using our single precision small math option with these options:

#define WOLFSSL_SP
#define WOLFSSL_SP_SMALL      /* use smaller version of code */
#define WOLFSSL_HAVE_SP_RSA
#define WOLFSSL_HAVE_SP_DH
#define WOLFSSL_HAVE_SP_ECC
#define WOLFSSL_SP_4096       /* enable 4096-bit */
//#define WOLFSSL_SP_MATH     /* only SP math - eliminates integer/tfm math code, so only standard curves/key sizes are supported */
//#define WOLFSSL_SP_ASM      /* enable the assembly speedup */
//#define WOLFSSL_SP_ARM_CORTEX_M_ASM /* optional cortex-m speedups */

Thanks,
David Garske, wolfSSL

Share

Re: Error while using cert and key of 4096 bits public key

Hi Garske,
I don't think this is stack issue. Because when I got the error, I checked my peak stack and it was approx 25KB(peak stack usage)  from 42KB of stack size for this task. I checked this when I had USE_FAST_MATH enabled and FP_MAX_BITS  is set to 4096.

Thanks,
Akhilesh

Share

Re: Error while using cert and key of 4096 bits public key

Hi akhi_gangwar,

The -155 "RSA_FUNCTION MP_EXPTMOD_E: memory/config problem" means either stack too small or FP_MAX_BITS is not set large enough. If you have FP_MAX_BITS 8192 you should be good with fast math.

Did you try the SP version of our math. It's much much faster and memory efficient.

Thanks,
David Garske, wolfSSL

Share

Re: Error while using cert and key of 4096 bits public key

Hi Garske,
Can you tell me what is the approximate memory is consumed while handshaking if I USE_FAST_MATH is enabled and FP_MAX_BITS  is set to 8192? Because at the time I checked, I had a lot of memory both heap and stack.
Also, I did not know about SP version of maths in wolfssl. How to use it? Is it already given into wolfssl or I need to integrate it separately?

Thanks

Share