1 2 Previous Next 20 Replies Latest reply on Mar 29, 2016 9:26 PM by hardy.chen

    How much memory is required to enable tls?

    sam.lin

      I'm testing https for my application and I found http works but https fails.

       

      The error is:

      wiced_tcp_connect returns 1.

      which is because wiced_tcp_start_tls returns 1.

      which is because

          wiced_tcp_start_tls

          -> wiced_tcp_start_tls_with_ciphers

          -> ssl_handshake_client_async returns 1.

       

      I remove some features in my application at compiler time and then https works.

      It seems tls takes extra memory to work.

      How much extra free memory is required to enable tls?

        • 1. Re: How much memory is required to enable tls?
          sam.lin

          I sometimes got wiced_tcp_connect() result=64449

          It's because ssl_handshake_client_async() returns 64449.

          What is the meaning of this error code.

          • 2. Re: How much memory is required to enable tls?
            jayi

            Hi Sam,

             

            Could you double-check if the result is 64449? Here's a list of the TLS result errors. Hope this helps.

             

            Regards,

            Jaeyoung

             

                TLS_SUCCESS = (0),   /**<   */ \

                TLS_TIMEOUT = (2),   /**<   */ \

                TLS_RECEIVE_FAILED = (5001),   /**<   */ \

                TLS_ALERT_NO_CERTIFICATE = (5002),   /**<   */ \

                TLS_ERROR_OUT_OF_MEMORY = (5003),   /**<   */ \

                TLS_ERROR_FEATURE_UNAVAILABLE = (5004),   /**<   */ \

                TLS_ERROR_BAD_INPUT_DATA = (5005),   /**<   */ \

                TLS_ERROR_INVALID_MAC = (5006),   /**<   */ \

                TLS_ERROR_INVALID_RECORD = (5007),   /**<   */ \

                TLS_ERROR_INVALID_MODULUS_SIZE = (5008),   /**<   */ \

                TLS_ERROR_UNKNOWN_CIPHER = (5009),   /**<   */ \

                TLS_ERROR_NO_CIPHER_CHOSEN = (5010),   /**<   */ \

                TLS_ERROR_NO_SESSION_FOUND = (5011),   /**<   */ \

                TLS_ERROR_NO_CLIENT_CERTIFICATE = (5012),   /**<   */ \

                TLS_ERROR_CERTIFICATE_TOO_LARGE = (5013),   /**<   */ \

                TLS_ERROR_CERTIFICATE_REQUIRED = (5014),   /**<   */ \

                TLS_ERROR_PRIVATE_KEY_REQUIRED = (5015),   /**<   */ \

                TLS_ERROR_CA_CHAIN_REQUIRED = (5016),   /**<   */ \

                TLS_ERROR_UNEXPECTED_MESSAGE = (5017),   /**<   */ \

                TLS_ERROR_FATAL_ALERT_MESSAGE = (5018),   /**<   */ \

                TLS_ERROR_PEER_VERIFY_FAILED = (5019),   /**<   */ \

                TLS_ERROR_PEER_CLOSE_NOTIFY = (5020),   /**<   */ \

                TLS_ERROR_BAD_HS_CLIENT_HELLO = (5021),   /**<   */ \

                TLS_ERROR_BAD_HS_SERVER_HELLO = (5022),   /**<   */ \

                TLS_ERROR_BAD_HS_CERTIFICATE = (5023),   /**<   */ \

                TLS_ERROR_BAD_HS_CERTIFICATE_REQUEST = (5024),   /**<   */ \

                TLS_ERROR_BAD_HS_SERVER_KEY_EXCHANGE = (5025),   /**<   */ \

                TLS_ERROR_BAD_HS_SERVER_HELLO_DONE = (5026),   /**<   */ \

                TLS_ERROR_BAD_HS_CLIENT_KEY_EXCHANGE = (5027),   /**<   */ \

                TLS_ERROR_BAD_HS_CERTIFICATE_VERIFY = (5028),   /**<   */ \

                TLS_ERROR_BAD_HS_CHANGE_CIPHER_SPEC = (5029),   /**<   */ \

                TLS_ERROR_BAD_HS_FINISHED = (5030),   /**<   */ \

                TLS_HANDSHAKE_TIMEOUT = (5031),   /**<   */ \

                TLS_HANDSHAKE_ERROR = (5032),   /**<   */ \

                TLS_INIT_FAIL = (5033),   /**<   */ \

                TLS_BAD_MESSAGE = (5034),   /**<   */ \

                TLS_UNTRUSTED_CERTIFICATE = (5035),   /**<   */ \

                TLS_EXPIRED_CERTIFICATE = (5036),   /**<   */ \

                TLS_CERTIFICATE_NAME_MISMATCH = (5037),   /**<   */ \

                TLS_ERROR_DECRYPTION_FAIL = (5038),   /**<   */ \

                TLS_ERROR_ENCRYPTION_FAIL = (5039),   /**<   */ \

                TLS_ERROR_HMAC_CHECK_FAIL = (5040),   /**<   */ \

                TLS_CERTIFICATE_REVOKED = (5041),   /**<   */ \

                TLS_NO_DATA = (5042),   /**<   */ \

                TLS_ERROR_UNSUPPORTED_EXTENSION = (5043),

            • 3. Re: How much memory is required to enable tls?
              sam.lin

              Here is how I got the result, and it's 64449.

               

              In wiced_tcp_start_tls_with_ciphers():

                           result = ssl_handshake_client_async( &tls_context->context );

                           if ( result != TLS_SUCCESS )

                           {

              printf("handshake result=%u\r\n", result);

                               WPRINT_SECURITY_INFO(( "Error with TLS handshake\n" ));

                               goto exit_with_inited_context;

                           }

              • 4. Re: How much memory is required to enable tls?
                sam.lin

                Hi jaeyoung,

                I complete lost here as we don't have the code to trace this issue.

                The first time calling ssl_handshake_client_async() returns 64449.

                Then all ssl_handshake_client_async() calls return 1.

                 

                Any comments?

                • 5. Re: How much memory is required to enable tls?
                  sam.lin

                  Just to update this issue:

                  I don't provide root ca, so I'm using SSL_VERIFY_NONE.

                  My previous comment only shows the first error return by ssl_handshake_client_async().

                  I just notice below behavior when calling wiced_tcp_start_tls_with_ciphers():

                   

                  wiced_tcp_start_tls_with_ciphers() has a do-while loop, so I actually got is:

                   

                  ssl_handshake_client_async() returns 0.

                  ssl_handshake_client_async() returns 0.

                  ssl_handshake_client_async() returns 0.

                  ssl_handshake_client_async() returns 0.

                  ssl_handshake_client_async() returns 0xFBC1 (It's 64449).

                   

                  And then next time calling wiced_tcp_start_tls_with_ciphers(), I got:

                  ssl_handshake_client_async() returns 0.

                  ssl_handshake_client_async() returns 0.

                  ssl_handshake_client_async() returns 0.

                  ssl_handshake_client_async() returns 1.

                   

                  The same pattern every time I reboot and re-test.

                  • 6. Re: How much memory is required to enable tls?
                    sam.lin

                    This might be memory issue.

                    ssl_handshake_client_async() error might be an OOM.

                    From my observation, wiced_tcp_start_tls with SSL_VERIFY_NONE will take

                    at least 10K+ memory which is pretty big for some platforms.

                    So that is exactly the initial question of this thread, how much memory is

                    required to enable tls?

                    • 7. Re: How much memory is required to enable tls?
                      jayi

                      Hi,

                       

                      You can find the information when you compile your app. It will be under "Supplicant - BESL".

                       

                      Thanks,

                      Jaeyoung

                       

                      tls_memory.PNG

                      • 8. Re: How much memory is required to enable tls?
                        sam.lin

                        I know that.

                        What I want to know is the dynamically allocated memory which is allocated by malloc.

                        If start tls also start another thread, I'd like to know the stack size as well.

                        • 9. Re: How much memory is required to enable tls?
                          sam.lin

                          Now I can reproduce the 64449 error code and 5003 error with a modified

                          https_get snip code.

                           

                          Whatever I did is just add a big array and test https_get with below link:

                          https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.2.1

                           

                          It's fine if I add 30K array.

                          If I add 50K array, I got result=5003.

                          If I add 60K array, I got result=64449.

                           

                          Adding a big array is just to simulate a bigger firmware that takes more

                          memory. I think even I add 50K array in the snip code, I still have 100k+

                          free memory available. So I have no idea why I got OOM and https_get fails.

                          The 5003 error is returned from tls_get_next_record().

                          • 11. Re: How much memory is required to enable tls?
                            sam.lin

                            We don't get any fix so this is still an issue for us.

                            I remember someone replied in other thread that https issue might be fixed

                            in newer SDK, but the situation is we have product in production stage

                            with SDK-3.1.2. So we need the fix for SDK-3.1.2.

                            • 12. Re: How much memory is required to enable tls?
                              ndutton

                              Have you considered looking at ZentriOS - it automates much of the memory management concerns you refer to?

                              Zentri

                               

                              If you want to use an EXTERNAL microcontroller

                              https://docs.zentri.com/wifi/cmd/latest/search?q=memory

                              https://docs.zentri.com/wifi/cmd/latest/search?q=tls

                               

                              If your want to use the INTERNAL microcontroller

                              https://docs.zentri.com/wifi/sdk/latest/search?q=memory

                              https://docs.zentri.com/wifi/sdk/latest/search?q=tls

                              • 13. Re: How much memory is required to enable tls?
                                sam.lin

                                I still got 5003 error in SDK-3.5.1 with the same test (trying to download a 132k file).

                                The first error is tls_get_next_record() returns 5003

                                So back to my original question:

                                How much memory is required to enable TLS? Is there any limitation?

                                • 14. Re: How much memory is required to enable tls?
                                  hardy.chen

                                  Hi Sam and Broadcom team,

                                   

                                  I also got return code 1 (but only code 1, there is not other error code in my case), but I found that it seems to be related to CA information.

                                  I tried to use a CA without adding "*." in RelativeDistinguishedName item for id 'id-at-commonName', then it works without returning error code. So, it was not a memory related issue from my case.

                                   

                                  I still don't know why there is any relationship between ssl_handshake_client_async and certificate file during TLS handshaking.

                                  May you have comment on my finding?

                                  1 2 Previous Next