1 Topic by kbhave (edited by kbhave 2014-10-23 14:08:03)

  • Registered: 2014-10-14
  • Posts: 12

Topic: NetSecure_BlkGet - Where is this?

I am using a LPC1768 and while trying to establish SSL connection with Google, and using CyaSSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL), my program gets stuck in mp_init_size function (Integer.c) during Signature Verification. I traced this to a XMALLOC call. Looking at Settings.h and using standard debugging I see that it is using NetSecure_BlkGet -

#if (NET_SECURE_MGR_CFG_EN == DEF_ENABLED)
    #define MICRIUM_MALLOC   
    #define XMALLOC(s, h, type) ((void *)NetSecure_BlkGet((CPU_INT08U)(type), \
                                 (CPU_SIZE_T)(s), (void *)0))

Now where is this NetSecure_BlkGet function and any idea why it gets stuck here?
Thanks.

Share

  • From: Bozeman, MT
  • Registered: 2010-10-20
  • Posts: 647

Re: NetSecure_BlkGet - Where is this?

Hi,

The code you specified above is specific to our Micrium uC/OS build, which I'm guessing you're probably not using.  Your IDE may have just found the wrong XMALLOC define when you searched for the macro being called.

But it does sounds like you are running out of memory if XMALLOC is failing.  Sometimes the Google certs get fairly large (I've seen up to 11kB for a single cert).  If you are using the normal big integer math library, with 2048-bit RSA keys, expected stack usage should be around 7kB, with heap usage around 17kB.

In addition to those numbers, wolfSSL's I/O buffer can grow up to 16kB (on the heap).  This I/O buffer starts at 1kB, then grows and shrinks as needed.  The maximum SSL/TLS record size is defined as 16kB.  You may be able to reduce this using the Maximum Fragment Length Extension, which let's you specify a smaller maximum record size to use.

We put out a blog post about the Maximum Fragment Length Extension a while back, which can be found here:
http://www.yassl.com/yaSSL/Blog/Entries … yaSSL.html

API documentation for those functions can be found here:
http://www.yassl.com/yaSSL/Docs-cyassl- … sions.html

Best Regards,
Chris

https://www.wolfssl.com

chrisc's Website

Share

  • Registered: 2014-10-14
  • Posts: 12

Re: NetSecure_BlkGet - Where is this?

Hi,
The way I found out which XMALLOC will be used, is by using the same ifdef statements that you have in settings.h. So this is not from a Search. Basically, I added the following code in integer.c just before the call to XMALLOC, to determine which XMALLOC will be used:

#if defined(CYASSL_LEANPSK) && !defined(XMALLOC_USER)
    CYASSL_MSG("KRB: mp_init_size: Define 1");
#endif
#if defined(XMALLOC_USER) && defined(SSN_BUILDING_LIBYASSL)
    CYASSL_MSG("KRB: mp_init_size: Define 2");
#endif
#ifdef EBSNET
    CYASSL_MSG("KRB: mp_init_size: Define 3");
#endif
#ifdef CYASSL_SAFERTOS
    CYASSL_MSG("KRB: mp_init_size: Define 4");
#endif
#ifdef FREESCALE_MQX
    CYASSL_MSG("KRB: mp_init_size: Define 5");
#endif
#if (NET_SECURE_MGR_CFG_EN == DEF_ENABLED)
    CYASSL_MSG("KRB: mp_init_size: Define 6. Uses NetSecure_BlkGet");
#endif

So even I am confused as to why it uses this.

I will definitely look into this Maximum Fragment Length Extension.

Thanks,
Kedar

Share

  • Registered: 2014-10-14
  • Posts: 12

Re: NetSecure_BlkGet - Where is this?

Okay. I tried using this Extension by adding the following 2 defines in settings.h :

    #define HAVE_TLS_EXTENSIONS
    #define HAVE_MAX_FRAGMENT

and in main.cpp where SSL is getting initialized,

ssl = CyaSSL_new(ctx);
if (CyaSSL_CTX_UseMaxFragment(ctx, CYASSL_MFL_2_9) != SSL_SUCCESS) {
        printf("CyaSSL_CTX_UseMaxFragment failed\n");
        int  err = CyaSSL_get_error(ssl, 0);
        err_sys("SSL Connection Error");
    }

Unfortunately, this did not have any effect and the program stopped at the same location. And I am still not sure why it uses NetSecure_BlkGet.

Share

  • Registered: 2014-10-14
  • Posts: 12

Re: NetSecure_BlkGet - Where is this?

Any updates on this? Or any other pointers?

Share

  • From: Bozeman, MT
  • Registered: 2010-10-20
  • Posts: 647

Re: NetSecure_BlkGet - Where is this?

Hi,

Are you using Micrium's uC-OS?  If not, can you find where NET_SECURE_MGR_CFG_EN is getting defined?  I just want to make sure you're using the correct XMALLOC for your environment.

As I noted above, sometimes Google's certificates can be very large.  Have you tried connecting to the wolfSSL example server which comes with the wolfSSL package?

Best Regards,
Chris

https://www.wolfssl.com

chrisc's Website

Share

  • Registered: 2014-10-14
  • Posts: 12

Re: NetSecure_BlkGet - Where is this?

Where is your example server?

Share