Demo AWS thing_shadow crash

Tip / Sign in to post questions, reply, level up, and achieve exciting badges. Know more

cross mob
ClMa_3563786
Level 2
Level 2

Hello,

I'm using the ISM43362_M3G_L44 evaluation board with FreeRTOS and LwIP, WICED Studio V6.2.

I would like to make a connection to AWS IoT using the demo application thing_shadow.

I'm using the same certificates as MQTT.fx that succeed to connect.

First, I found a bug in the demo code, file shadow.c l.249:

/* Get AWS Root CA certificate filename: 'rootca.cer' located @ resources/apps/aws/iot folder */

    resource_get_readonly_buffer( &resources_apps_DIR_aws_DIR_iot_DIR_rootca_cer, 0, SHADOW_CERTIFICATES_MAX_SIZE, &size_out, (const void **)root_ca_certificate);

    if( ret != WICED_SUCCESS )

    {

        WPRINT_APP_INFO(("[Shadow] Fail to read buffer ca, err %d\n", ret));

        return ret;

    }

The ret is not affected by the return of the function and initialized to WICED_ERROR.

Once corrected, I modified the resources\apps\aws\iot\rootca.cer. Through AP, I connect using my computer and upload the certificate, the key and select the wifi.

Then, the application crashed. I add printf to better understand what was happening.

Starting WICED vWiced_006.002.001.0002

Platform ISM43362_M3G_L44 initialised

Started FreeRTOS v9.0.0

Initialising LwIP v2.0.3

DHCP CLIENT hostname WICED IP

WLAN MAC Address : C4:7F:51:02:70:39

WLAN Firmware    : wl0: May 16 2018 00:27:03 version 5.90.230.31 FWID 01-61657268

Please wait, connecting to network...

(To return to SSID console screen, hold USER switch for 5 seconds during RESET to clear DCT configuration)

Successfully joined : SSID

Setting IPv6 link-local address

Obtaining IPv4 address via DHCP

IPv6 Network ready IP: FE80::C67F:51FF:FE02:7039

IPv4 Network ready IP: 192.168.86.59

[Shadow] Reading Device's certificate and private key from DCT...

[Shadow] Thing Name: lightbulb

[Shadow] Shadow State Topic: $aws/things/lightbulb/shadow/update

[Shadow] Shadow Delta Topic: $aws/things/lightbulb/shadow/update/delta

[Shadow] Connect to AWS IoT

[AWS] AWS endpoint: xxxx is atxxx

[AWS] MQTT Connect

[AWS] MQTT Connect init

[AWS] MQTT network init

[AWS] MQTT network connect

[AWS] netconn connect

[AWS] WICED tcp start tls

[AWS] TLS 1

[AWS] TLS 3

[AWS] TLS 4

[AWS] AES init

[AWS] AES enc

[AWS] AES

The last line is:

wiced_result_t wiced_generic_start_tls_with_ciphers( wiced_tls_context_t* tls_context, void* referee, wiced_tls_endpoint_type_t type, wiced_tls_certificate_verification_t verification, const cipher_suite_t* cipher_list[], tls_transport_protocol_t transport_protocol )

{

...

WPRINT_APP_INFO(("[AWS] TLS 4\n" ));

    if( ( ret = mbedtls_ctr_drbg_seed( &ctr_drbg, mbedtls_entropy_func, &entropy,

                               (const unsigned char *) pers,

                               strlen( pers )) ) != 0 )

    {

        WPRINT_APP_INFO(("[AWS] TLS 6\n" ));

        WPRINT_SECURITY_ERROR(( " failed\n  ! mbedtls_ctr_drbg_seed returned -0x%x\n", ret ));

        result = TLS_ERROR;

        goto exit_with_inited_context;

    }

    WPRINT_APP_INFO(("[AWS] TLS 5\n" ));

}

....

int mbedtls_ctr_drbg_seed( mbedtls_ctr_drbg_context *ctx,

                   int (*f_entropy)(void *, unsigned char *, size_t),

                   void *p_entropy,

                   const unsigned char *custom,

                   size_t len )

{

    return( mbedtls_ctr_drbg_seed_entropy_len( ctx, f_entropy, p_entropy, custom, len,

                                       MBEDTLS_CTR_DRBG_ENTROPY_LEN ) );

}

int mbedtls_ctr_drbg_seed_entropy_len(

                   mbedtls_ctr_drbg_context *ctx,

                   int (*f_entropy)(void *, unsigned char *, size_t),

                   void *p_entropy,

                   const unsigned char *custom,

                   size_t len,

                   size_t entropy_len )

{

    int ret;

    unsigned char key[MBEDTLS_CTR_DRBG_KEYSIZE];

    memset( key, 0, MBEDTLS_CTR_DRBG_KEYSIZE );

    WPRINT_APP_INFO(("[AWS] AES init\n" ));

    mbedtls_aes_init( &ctx->aes_ctx );

    ctx->f_entropy = f_entropy;

    ctx->p_entropy = p_entropy;

    ctx->entropy_len = entropy_len;

    ctx->reseed_interval = MBEDTLS_CTR_DRBG_RESEED_INTERVAL;

    WPRINT_APP_INFO(("[AWS] AES enc\n" ));

    /*

     * Initialize with an empty key

     */

    mbedtls_aes_setkey_enc( &ctx->aes_ctx, key, MBEDTLS_CTR_DRBG_KEYBITS );

    WPRINT_APP_INFO(("[AWS] AES\n" ));

    if( ( ret = mbedtls_ctr_drbg_reseed( ctx, custom, len ) ) != 0 )

        return( ret );

    return( 0 );

}

Could you give more inputs to figure out what is happening ?

I use the same file with MQTT.fx and the upload to the device. I don't understand why it's crashing.

Thanks

0 Likes
1 Solution

I found the issue. It was a stack overflow.

I've modified the define of the application stack size to 2048 instead of 6144.

After reverted back to 6144, I didn't have to modify the handling of certificates, only the function return as explained in my original post.


Thanks for your help

View solution in original post

0 Likes
4 Replies
PriyaM_16
Moderator
Moderator
Moderator
250 replies posted 100 replies posted 50 replies posted

Hello,

Thanks for pointing out the error in shadow.c file.

We have modified the code to take the return value and check the ret value as below:

ret = resource_get_readonly_buffer( &resources_apps_DIR_aws_DIR_iot_DIR_rootca_cer, 0, SHADOW_CE
RTIFICATES_MAX_SIZE
, &size_out, (const void **)root_ca_certificate);

The issue seems to be an error in TLS. It looks like the certificates are not handled properly in the snip.

Can you please replace the following code in get_aws_credentials_from_dct() with the attached code?

Replace:

security->certificate           = (uint8_t *)dct_security->certificate;

security->certificate_length    = strlen( dct_security->certificate );

security->private_key           = (uint8_t *)dct_security->private_key;

security->key_length            = strlen( dct_security->private_key );

with this:

security->certificate = malloc( strlen( dct_security->certificate ) + 1 );

security->certificate_length    = strlen( dct_security->certificate );

memset(security->certificate, 0, security->certificate_length + 1);

memcpy(security->certificate, dct_security->certificate, security->certificate_length );

security->private_key = malloc( strlen( dct_security->private_key ) + 1 );

security->key_length            = strlen( dct_security->private_key );

memset(security->private_key, 0, security->key_length + 1);

memcpy(security->private_key, dct_security->private_key, security->key_length );

Hello,

Thanks for your response. I've done the change but I didn't change the crash.

The change:

/* Fix ask by Cypress team */

//    security->certificate           = (uint8_t *)dct_security->certificate;

//    security->certificate_length    = strlen( dct_security->certificate );

//    security->private_key           = (uint8_t *)dct_security->private_key;

//    security->key_length            = strlen( dct_security->private_key );

    security->certificate = malloc( strlen( dct_security->certificate ) + 1 );

    security->certificate_length    = strlen( dct_security->certificate );

    memset(security->certificate, 0, security->certificate_length + 1);

    memcpy(security->certificate, dct_security->certificate, security->certificate_length );

    security->private_key = malloc( strlen( dct_security->private_key ) + 1 );

    security->key_length            = strlen( dct_security->private_key );

    memset(security->private_key, 0, security->key_length + 1);

    memcpy(security->private_key, dct_security->private_key, security->key_length );

    /*******************************/

I print out the certificates, they are correctly printed before or after the change.

Starting WICED vWiced_006.002.001.0002

Platform ISM43362_M3G_L44 initialised

Started FreeRTOS v9.0.0

Initialising LwIP v2.0.3

DHCP CLIENT hostname WICED IP

WLAN MAC Address : C4:7F:51:02:70:39

WLAN Firmware    : wl0: May 16 2018 00:27:03 version 5.90.230.31 FWID 01-61657268

Please wait, connecting to network...

(To return to SSID console screen, hold USER switch for 5 seconds during RESET to clear DCT configuration)

Joining : SSID

Successfully joined : SSID

Setting IPv6 link-local address

Obtaining IPv4 address via DHCP

IPv6 Network ready IP: FE80::C67F:51FF:FE02:7039

IPv4 Network ready IP: 192.168.86.62

[Shadow] Reading Device's certificate and private key from DCT...

[Shadow] Thing Name: lightbulb

[Shadow] Shadow State Topic: $aws/things/lightbulb/shadow/update

[Shadow] Shadow Delta Topic: $aws/things/lightbulb/shadow/update/delta

[Shadow] Connect to AWS IoT

[AWS] AWS endpoint: XXXXXX is at XXXXX

[AWS] MQTT Connect

[AWS] CA (1208):

-----BEGIN CERTIFICATE-----

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

XXXXXXXXXXXXXXXXXXXXXXXXXXXX

-----END CERTIFICATE-----

[AWS] CT (1224):

-----BEGIN CERTIFICATE-----

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

-----END CERTIFICATE-----

[AWS] PK (1675):

-----BEGIN RSA PRIVATE KEY-----

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

-----END RSA PRIVATE KEY-----

[AWS] MQTT Connect init

[AWS] MQTT network init

[AWS] MQTT network connect

[AWS] netconn connect

[AWS] WICED tcp start tls

[AWS] TLS 1

[AWS] TLS 3

[AWS] TLS 4

[AWS] AES init

[AWS] AES enc

[AWS] AES

[AWS] mbedtls_ctr_drbg_reseed ctx = 0x200033a8 func = 0x801e0db

Let me know if you need more inputs

Thanks

0 Likes

Hello,

Are you using the default thing given for testing in WICED or have you created a thing named "lightbulb"?

The thing name created for testing purpose is named DEMO. Kindly enter the thing name as DEMO in the configuration web page.

If you have created a thing of your own, can you please enable the tls logs as mentioned in Debugging TLS in WICED​ and attach the logs?

I found the issue. It was a stack overflow.

I've modified the define of the application stack size to 2048 instead of 6144.

After reverted back to 6144, I didn't have to modify the handling of certificates, only the function return as explained in my original post.


Thanks for your help

0 Likes