• Registered: 2023-09-08
  • Posts: 1

Topic: BUFFER_ERROR (-328) while establishing a TLS connection

Greetings,

I'm using WolfSSL in s an embedded project for both the TLS server and client sides to establish a TLS1.3 connection.
During the connection establishment the client side reports error -328 while parsing the server hello.
The error condition is in response to this if statement

    if (OPAQUE16_LEN > length || length % OPAQUE16_LEN)
        return BUFFER_ERROR;

in function TLSX_SupportedCurve_Parse in the file tls.c

I'm using cipher suite: TLS13-AES128-CCM-SHA256

Here is the client hello data:

16 03 03 00 9c 01 00 00 98 03 03 00 00 00 08 00
81 ef 58 00 00 00 01 00 80 bb 3c 00 16 09 9e 00
05 b8 ec 00 16 0b 42 00 00 00 00 00 00 06 13 01
13 04 13 05 01 00 00 69 00 33 00 47 00 45 00 17
00 41 04 6b 17 d1 f2 e1 2c 42 47 f8 bc e6 e5 63
a4 40 f2 77 03 7d 81 2d eb 33 a0 f4 a1 39 45 d8
98 c2 96 4f e3 42 e2 fe 1a 7f 9b 8e e7 eb 4a 7c
0f 9e 16 2b ce 33 57 6b 31 5e ce cb b6 40 68 37
bf 51 f5 00 2b 00 03 02 03 04 00 0d 00 06 00 04
04 03 04 01 00 0a 00 04 00 02 00 17 00 01 00 01
04

Here is the server hello data:

16 03 03 00 7b 02 00 00 77 03 03 75 a8 f8 8d 6f
79 63 b8 51 93 dd a3 dc 6b 48 8e 98 19 59 36 7d
04 04 3b 88 2c c6 1d f4 f5 aa 59 00 13 01 00 00
4f 00 33 00 45 00 17 00 41 04 19 7b 21 ce f6 4e
44 56 b5 36 3d 10 3a 28 f1 de 7c 2f 8b 27 f8 80
a7 60 cc ee 96 fb d5 79 9c ca ae 17 37 07 20 0b
cd 96 79 4e 77 43 3d a2 bb 25 2c 63 3e fa 8a 55
c3 2e 36 2c fe 0e b8 c9 f0 52 00 2b 00 02 03 04
17 03 03 00 1b e7 1b 91 a6 f2 4b 3e f2 fb c7 ab
e7 b6 1f 92 5f dc 58 32 4d f5 dd c6 7e 8c c4 a7
17 03 03 00 2a f6 a8 82 a8 d2 7b 5d 46 72 0e d4
17 ae 8b 36 60 f6 2e e4 85 f7 1f 5c dd 3f 18 6b
5b c9 09 4a a1 98 25 be 82 c9 ef 76 61 10 39 17
03 03 01 8e 72 b6 d4 7f 6f 14 75 63 a2 95 70 19
70 c2 85 47 39 45 66 b7 24 b4 ea 51 f8 f3 0f 89
0c bb 11 c2 be 38 db 1f c9 04 d0 f2 c6 4f dc d3
b1 91 bf 4a 37 56 8f 99 c9 10 4b 2c 17 6c 3e e5
df a2 bd 81 c8 e6 41 99 7b c1 1e b1 15 dc 49 7a
7d 9f b2 aa c9 18 e8 b3 b3 29 55 ce 0a 12 71 8c
5e 6d 2b 83 9e 85 fc 26 fb 3d 11 a7 8a 59 fc 93
c5 28 9a 43 48 29 d1 94 a7 8c e8 ab b0 7b 79 24
99 d8 c8 b5 90 57 b0 65 ff 40 5d 03 4f 5a 0d 14
6b 56 af 3a 6e d1 16 30 31 6e 11 68 85 d5 14 0d
ad 6b 3c 97 5f 84 02 a3 b8 73 67 e6 c0 75 89 c7
5e 6b b4 92 1f 51 4a 70 a2 6a 95 dd 0e f1 d3 02
2e 41 4b c4 b3 6d 11 61 a7 a7 9a 5c 9c e7 b9 12
68 80 cd 96 7d 63 1a b3 3e 15 71 39 aa bb 37 e0
6e 9a 36 7e 1d 04 6e f3 30 ca 94 6d 5c a8 f5 6b
84 f6 d4 e3 2b ed 9d be 86 93 da 67 ad 9e 9d 50
d8 1e bf 18 38 07 47 e2 95 ad 11 a0 92 03 bf 93
12 eb 51 22 d2 ca 1d ec af 71 16 07 da fc d9 ae
0f e7 30 c2 89 08 21

dd 70 03 70 38 f9 f8 d4 09 0c a8 78 4d 70 78 a6
30 b5 ae 47 ab c4 63 92 58 e1 92 d4 30 14 36 ed
c2 3d 3b cd f2 5e 64 5c 8a 8f 05 cd ab 0a 48 9f
2f ea 60 5b f2 f0 f4 54 ef 05 0f 43 f1 1c 5c 5b
30 30 c0 c1 a0 e5 83 5d 40 80 ff 56 eb a5 f1 c4
fb b8 87 ee b9 bc 3c cb b7 be 3e 74 67 e0 33 10
b6 01 6c 2f 3c cb ed 0b a6 28 ac 17 03 03 00 5f
2a 03 4d 8f d4 f0 a3 21 e4 2e 99 c6 f9 b6 d0 a5
d4 94 25 e1 9d 01 88 1c 5a 46 08 c3 35 1a 7a 59
4b f0 77 94 0f eb 4a 73 4d 5c 06 92 d0 59 fe ea
7a dc c0 c1 78 dc 90 15 c0 f2 a6 d6 06 b2 ba 44
59 8f bf 39 48 b0 8e 1f 1f ac d0 96 52 71 81 3f
2d 9f dc be 1a 23 e6 61 20 c3 c9 35 b6 55 71 17
03 03 00 35 f5 87 54 32 eb d8 ad c0 63 cb 7b 36
ef 49 b5 50 cf f1 8e 80 94 3f b9 aa 6e d3 23 03
46 9d 08 1d 35 5e 7f da 41 2f 6c dc 40 b0 d2 cf
9f 39 d5 0b d0 01 57 1b 27

Here are my user settings (I was unable to upload the file)
#ifndef _WIN_USER_SETTINGS_H_
#define _WIN_USER_SETTINGS_H_

/* Verify this is Windows */
#ifndef _WIN32
#error This user_settings.h header is only designed for Windows
#endif

#define tls_print_msg(x)
#define tls_print_error_code(x)
#define tls_print_msg_and_code(x, y)


#define WOLFSSL_MAX_SEND_SZ 2048
#define NO_SESSION_CACHE
//#define HAVE_MAX_FRAGMENT
//#define MAX_CHAIN_DEPTH 4 // maximum chain depth limited to 4 based on available memory space.
#undef SESSION_CERTS
#define SESSION_CERTS
#define NO_WOLFSSL_CLIENT
///// Feature settings
#undef WOLFSSL_TLS13
#define WOLFSSL_TLS13

#undef WOLFSSL_NO_TLS12
#define WOLFSSL_NO_TLS12

#undef NO_OLD_TLS
#define NO_OLD_TLS

#undef HAVE_TLS_EXTENSIONS
#define HAVE_TLS_EXTENSIONS

#undef HAVE_SUPPORTED_CURVES
#define HAVE_SUPPORTED_CURVES

#undef HAVE_ECC
#define HAVE_ECC

#undef HAVE_SESSION_TICKET

#undef HAVE_HKDF
#define HAVE_HKDF

#define HAVE_FFDHE_2048
#define HAVE_FFDHE_4096
#define HAVE_FFDHE_8192

#undef HAVE_X963_KDF
#define HAVE_X963_KDF

#undef HAVE_AEAD
#define HAVE_AEAD

#undef HAVE_CHACHA

// TODO: Remove the following
//#define HAVE_FFDHE_8192 // KJ: Not used on client side
//#define WOLFSSL_DH_CONST
//#define HAVE_FFDHE_2048
// #define HAVE_FFDHE_4096



// KJ: Uncomment this to see a printout of all Wolf data
// #define WOLFSSL_LOG_PRINTF

/* Change to "if 1" to enable debug */
#if 1
#define DEBUG_WOLFSSL
#define WOLFSSL_DEBUG_TLS

#endif

#undef NO_RSA
#define NO_RSA
#ifndef NO_RSA
    #define WC_RSA_PSS
    #define WC_RSA_BLINDING
#endif

#undef NO_DES3
#define NO_DES3

#undef NO_DSA
#define NO_DSA

#undef NO_MD4
#define NO_MD4

#undef NO_MD5
#define NO_MD5

#undef NO_SHA
//#define NO_SHA

#undef NO_RC4
#define NO_RC4

// TODO: Is this needed
#undef NO_DH
//#define NO_DH

#undef NO_PSK
#define NO_PSK

#undef NO_PWDBASED
#define NO_PWDBASED

#undef NO_ARC4
#define NO_ARC4

#undef USER_TICKS
//#define USER_TICKS

#undef BUILD_GCM
//#define BUILD_GCM

#undef HAVE_AESCCM
#define HAVE_AESCCM

#undef HAVE_AESGCM
// #define HAVE_AESGCM
#ifdef HAVE_AESGCM
#define GCM_TABLE_4BIT
#endif

#undef WOLFSSL_AES_COUNTER
#define WOLFSSL_AES_COUNTER

#undef WOLFSSL_AES_DIRECT
#define WOLFSSL_AES_DIRECT

#undef HAVE_OCSP
//#define HAVE_OCSP
#ifdef HAVE_OCSP
  #define HAVE_CERTIFICATE_STATUS_REQUEST
#endif

#undef WOLFSSL_CERT_GEN
#define WOLFSSL_CERT_GEN

#undef WOLFSSL_CERT_REQ
#define WOLFSSL_CERT_REQ

#undef WOLFSSL_ALT_NAMES
#define WOLFSSL_ALT_NAMES
#ifdef WOLFSSL_ALT_NAMES
    #define WC_CTC_MAX_ALT_SIZE (256)
    #define WOLFSSL_CERT_EXT
    #define WOLFSSL_ASN_TEMPLATE
    #define WOLFSSL_CUSTOM_OID
    #define HAVE_OID_ENCODING
    #define HAVE_OID_DECODING
#endif

#undef WOLFSSL_SESSION_STATS
#define WOLFSSL_SESSION_STATS
/////


///// System capability settings
#define WOLFSSL_USER_IO
/////

///// Hardening
//#define WC_NO_HARDEN // disable the warning to use harden options
#undef ECC_TIMING_RESISTANT
#define ECC_TIMING_RESISTANT // has a substantial performance impact, nullifies ECC HW acceleration
#undef TFM_TIMING_RESISTANT
#define TFM_TIMING_RESISTANT // only needed by USE_FAST_MATH, minimal impact
/////

///// Logging
//#define DEBUG_WOLFSSL
#ifdef DEBUG_WOLFSSL
//#define WOLFSSL_DEBUG
//#define WOLFSSL_DEBUG_TLS
#ifdef WOLFSSL_STATIC_MEMORY
    #define WOLFSSL_DEBUG_MEMORY
    #define WOLFSSL_DEBUG_STATIC_MEMORY
#endif
    //#define WOLFSSL_DEBUG_ERRORS_ONLY
#else
    //#define NO_ERROR_STRINGS
#endif
/////


///// Math settings
#undef USE_FAST_MATH
//#define USE_FAST_MATH
// Do not include ECC optimizers if using SP Math for ECC

#undef TFM_ECC224
//#define TFM_ECC224

#undef TFM_ECC256
//#define TFM_ECC256

#undef TFM_ECC521
//#define TFM_ECC521
/////

// Note that the benchmark tests show best performance using TFM except for ECC math
//#define SP_WORD_SIZE 32
//#define WOLFSSL_SP_MATH_ALL
//#define WOLFSSL_SP_ASM
//#define WOLFSSL_SP_MATH  // if desired, do not define to allow USE_FAST_MATH to work for DH
//#define WOLFSSL_HAVE_SP_ECC // much faster than USE_FAST_MATH
//#define WOLFSSL_HAVE_SP_DH // slower than USE_FAST_MATH in benchmarks
//#define WOLFSSL_SP_FAST_NCT_EXPTMOD
/////


////////////////////////KJ/////////////////////////
//#define WOLFSSL_ALLOW_SERVER_SC_EXT
#define WOLFSSL_VERBOSE_ERRORS

#define HAVE_SUPPORTED_CURVES
#define HAVE_TLS_EXTENSIONS
#define NO_ASN_TIME

// NOTE!!!!!!! KJ: These definitions are needed to include the function that can verify the signature on the TLS client cert.
//                 Namely: wc_CheckCertSigPubKey(...)
#define OPENSSL_EXTRA
#define NO_BIO
#define USE_WOLF_STRTOK
////////////////////////KJ/////////////////////////


#undef WOLFSSL_DER_LOAD
#define WOLFSSL_DER_LOAD
// #define WC_RSA_PSS
//#define WOLFSSL_DTLS
//#define WOLFSSL_DTLS13
//#define WOLFSSL_SEND_HRR_COOKIE
//#define WOLFSSL_DTLS_CID

/* Configurations */
#if defined(HAVE_FIPS)
    /* FIPS */
    #define OPENSSL_EXTRA
    #define HAVE_THREAD_LS
    #define WOLFSSL_KEY_GEN
    #define HAVE_HASHDRBG
    #define WOLFSSL_SHA384
    #define WOLFSSL_SHA512
    #define NO_PSK
    #define NO_RC4
    #define NO_DSA
    #define NO_MD4

    #define GCM_NONCE_MID_SZ 12
#else
    /* Enables blinding mode, to prevent timing attacks */
    // #define WC_RSA_BLINDING
    #define NO_MULTIBYTE_PRINT

    #if defined(WOLFSSL_LIB)
        /* The lib */
        #define OPENSSL_EXTRA
        //#define WOLFSSL_RIPEMD
        #define NO_PSK
        //#define HAVE_EXTENDED_MASTER
        #define WOLFSSL_SNIFFER
        //#define HAVE_SECURE_RENEGOTIATION

        //#define HAVE_AESGCM
        //#define WOLFSSL_AESGCM_STREAM
        #define WOLFSSL_SHA384
        #define WOLFSSL_SHA512

        #define HAVE_SUPPORTED_CURVES
        #define HAVE_TLS_EXTENSIONS

        #define HAVE_ECC
        #define ECC_SHAMIR
        #define ECC_TIMING_RESISTANT

        //#define WOLFSSL_SP_X86_64
        //#define SP_INT_BITS  4096
    #else
        /* The servers and clients */
        #define OPENSSL_EXTRA
        #define NO_PSK
    #endif
#endif /* HAVE_FIPS */

#endif /* _WIN_USER_SETTINGS_H_ */



Since I'm using WolfSSL for the client and the server, I can't figure out why I'm getting the malformed buffer error.

Thanks in advance for your help.

Share

  • From: Mobile, AL
  • Registered: 2013-12-11
  • Posts: 300

Re: BUFFER_ERROR (-328) while establishing a TLS connection

Hi kj3141

Please send an email to our support team so that this issue is properly tracked

support@wolfssl.com

Thanks,
Eric - wolfSSL Support

embhorn's Website

Share