Topic: Certificate Verification hangs at mp_exptmod call in RsaFunction

Using LPC1768 mbed board with the Application board to connect to google.com over SSL.

Doing wolfSSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL) to connect to google.com over SSL. After going through various validations, there is the Signature Verification (call to ConfirmSignature in asn.c). sigOID is 649 (CTC_SHAwRSA) and keyOID is 645 (RSAk). This calls RsaSSL_VerifyInline. Then a call to RsaFunction. Here the type is RSA_PUBLIC_DECRYPT. In this block, there is a call to mp_exptmod. But the call is never made. I have a debug line as the first line in the mp_exptmod function but that never gets called. The code never reaches this line! It is as if the function never gets called. The program just stops there.

Any help/pointers will be greatly appreciated.

Share

Re: Certificate Verification hangs at mp_exptmod call in RsaFunction

Hi kbhave,

Do you know what you have your stack size set to?  Are you using the normal big integer library, or the fastmath library (#define USE_FAST_MATH, #define TFM_TIMING_RESISTANT)?

Thanks,
Chris

Re: Certificate Verification hangs at mp_exptmod call in RsaFunction

Hello Chris,
Well I am not sure what it is set to (since I did not set it explicitly and I am fairly new to this platform). I am using the mbed online IDE (compiler). I am surely not using fast math (USE_FAST_MATH is not defined for mbed platform by default either).

I did manage to trace it further and I think it does run out of memory, although I don't get any explicit error message for it. The program stops after a call to mp_grow. From the online IDE's "Build details" the RAM footprint of this is about 36K. The board has 64K of RAM but from the Memory model doc for mbed (http://developer.mbed.org/handbook/Memory-Model) it seems 32K is dedicated for peripheral drivers and such :-(

Thanks,
Kedar

Share

Re: Certificate Verification hangs at mp_exptmod call in RsaFunction

I printed the memory allocations on this board, and they don't seem to be topping off -

  Main RAM = 8680 (has 32K total)
  AHBSRAM0 = 16384 (this used by Ethernet is topped off)
  AHBSRAM1 = 11348 (this one used by USB is low)
  CANRAM   = 0 (not used at all - I think this is 2K)

This doesn't look like memory issue. It just dies in the call to mp_mulmod. It never comes out.

Share

Re: Certificate Verification hangs at mp_exptmod call in RsaFunction

Hi Kedar,

It does look like you may be running out of memory.  Does my post in your other topic help:http://www.yassl.com/forums/topic591-netsecureblkget-where-is-this.html

Best Regards,
Chris

Re: Certificate Verification hangs at mp_exptmod call in RsaFunction

Well, if it was a memory issue, wouldn't XMALLOC fail with a NULL pointer? I am checking for NULL. So in integer.c in mp_init_size() I have the following:

  /* alloc mem */
  a->dp = OPT_CAST(mp_digit) XMALLOC (sizeof (mp_digit) * size, 0,
                                      DYNAMIC_TYPE_BIGINT);
  if (a->dp == NULL) {
    WOLFSSL_MSG("KRB: mp_init_size: Memory Allocation Failed");
    return MP_MEM;
  }

I am guessing if this is a memory issue, a->dp would be NULL? In my case, the program literally stops doing anything. There is nothing printed after my statement before XALLOC.

Share

Re: Certificate Verification hangs at mp_exptmod call in RsaFunction

The reason I say that it may be a stack problem is that when I have worked with embedded boards in the past, and the task stack size is not set high enough, oftentimes the application will just **stop**, as you have mentioned inside of a function.

How long have you waited for it to return from the function?  Sometimes the public key operations on embedded boards can take up to a minute or two.

Best Regards,
Chris

Re: Certificate Verification hangs at mp_exptmod call in RsaFunction

Unfortunately I still have not seen a single SSL connection example that works on LPC1768 board with the wolfSSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, 0);

We have tested our code using your standard wolfSSL embedded SSL library on a Mac and it works, but it does not work on this board.

If you know of any working example that can connect to google or twitter or some such site over HTTPS, please let me know.

Thanks.

Share