Error while connectiong to AWS

Hello Everyone,

I am trying to connect to AWS using mbedtls library over lwIP. When it comes to ‘case MBEDTLS_SSL_CERTIFICATE_VERIFY:’ case, the function “ssl_write_certificate_verify” returns me an error code: -17168. Where am I going wrong?

Kindly help me through this. Check my TLS init code below:

const char *pers = “MT_TEST”;

/* Setup the thread callbacks */
mbedtls_threading_set_alt(threading_mutex_init_pthread,
threading_mutex_free_pthread, threading_mutex_lock_pthread,
threading_mutex_unlock_pthread);

/* initialize the different descriptors */
mbedtls_entropy_init( &stentropy );

ret = mbedtls_entropy_add_source(&stentropy, entropy_source, NULL, 128,
MBEDTLS_ENTROPY_SOURCE_STRONG);
if (ret != 0) {
mbedtls_entropy_free(&stentropy);
return -1;
}

mbedtls_ctr_drbg_init( &stctr_drbg );

if( ( ret = mbedtls_ctr_drbg_seed( &stctr_drbg, mbedtls_entropy_func, &stentropy,
(const unsigned char *) pers,
strlen(pers ) ) ) != 0 )
{
LWIP_DEBUGF(MQTT_APP_DEBUG_TRACE,( " failed\n ! mbedtls_ctr_drbg_seed returned %d\n", ret ));
printf( " failed\n ! mbedtls_ctr_drbg_seed returned %d\n", ret );
return -1;
}

mbedtls_ssl_init( &stssl );
mbedtls_ssl_config_init( &stconf );

/*

  • First prepare the SSL configuration by setting the endpoint and transport type, and loading reasonable
  • defaults for security parameters. The endpoint determines if the stconf/TLS layer will act as a server (MBEDTLS_SSL_IS_SERVER)
  • or a client (MBEDTLS_SSL_IS_CLIENT). The transport type determines if we are using TLS (MBEDTLS_SSL_TRANSPORT_STREAM)
  • or DTLS (MBEDTLS_SSL_TRANSPORT_DATAGRAM).
    */
    if( ( ret = mbedtls_ssl_config_defaults( &stconf,
    MBEDTLS_SSL_IS_CLIENT,
    MBEDTLS_SSL_TRANSPORT_STREAM,
    MBEDTLS_SSL_PRESET_DEFAULT ) ) != 0 )
    {
    LWIP_DEBUGF(MQTT_APP_DEBUG_TRACE,( " failed\n ! mbedtls_ssl_config_defaults returned %d\n\n", ret ));
    printf( " failed\n ! mbedtls_ssl_config_defaults returned %d\n\n", ret );
    return -1;
    }

/* Set rsa_min_bitlen to 1024 for better compatibility */
crtProfile = mbedtls_x509_crt_profile_default;
crtProfile.rsa_min_bitlen = 1024;
mbedtls_ssl_conf_cert_profile(&stconf, &crtProfile);

mbedtls_x509_crt_init( &stcacert );

/* The authentication mode determines how strict the certificates that are presented are checked. */
#if CONFIG_USE_SERVER_VERIFICATION
#if CONFIG_USE_BROKER_ADAFRUIT
#error “no certificate?”
#elif CONFIG_USE_BROKER_AZURE
ret = mbedtls_x509_crt_parse(&stcacert, (const unsigned char *)mbedtls_azure_ca_crt, mbedtls_azure_ca_crt_len );
#elif CONFIG_USE_BROKER_MOSQUITTO_TEST
ret = mbedtls_x509_crt_parse(&stcacert, (const unsigned char *)mbedtls_mosquitto_test_ca_crt, mbedtls_mosquitto_test_ca_crt_len );
#elif CONFIG_USE_BROKER_LOCAL
ret = mbedtls_x509_crt_parse(&stcacert, (const unsigned char *)mbedtls_m2mqtt_srv_crt, mbedtls_m2mqtt_srv_crt_len );
#elif CONFIG_USE_BROKER_AWS
mbedtls_x509_crt_init( &stlocalcert );
mbedtls_pk_init(&stPKctx);

ret = mbedtls_x509_crt_parse(&stlocalcert, (const unsigned char *)client_cert_pem,
		client_cert_pem_len );
if(ret != 0)
{
  printf( " failed\n  !  mbedtls_x509_crt_parse local cert returned -0x%x\n\n", -ret );
  return -1;
}

ret = mbedtls_pk_parse_key(&stPKctx, (const unsigned char *)client_private_key_pem,
		client_private_key_pem_len, NULL, 0);
if (ret != 0)
{
	printf( " failed\n  !  mbedtls_pk_parse_key returned -0x%x\n\n", -ret );
	return -1;
}

ret = mbedtls_x509_crt_parse(&stcacert, (const unsigned char *)root_ca_pem, root_ca_pem_len );
if(ret != 0)
{
  printf( " failed\n  !  mbedtls_x509_crt_parse root CA returned -0x%x\n\n", -ret );
  return -1;
}

ret = mbedtls_ssl_conf_own_cert(&stconf, &stlocalcert, &stPKctx);
if (ret != 0)
{
	printf( " failed\n  !  mbedtls_ssl_conf_own_cert returned -0x%x\n\n", -ret );
	return -1;
}

#else
#error “unknown mqtt broker?”
#endif

if(ret != 0)
{
printf( " failed\n ! mbedtls_x509_crt_parse returned -0x%x\n\n", -ret );
}

mbedtls_ssl_conf_ca_chain( &stconf, &stcacert, NULL );
mbedtls_ssl_conf_authmode(&stconf, MBEDTLS_SSL_VERIFY_REQUIRED);
#else
mbedtls_ssl_conf_authmode(&stconf, MBEDTLS_SSL_VERIFY_NONE);
#endif

/* The library needs to know which random engine to use and which debug function to use as callback. */
mbedtls_ssl_conf_rng( &stconf, mbedtls_ctr_drbg_random, &stctr_drbg );
mbedtls_ssl_conf_dbg( &stconf, my_debug, stdout );

ret = mbedtls_ssl_setup(&stssl, &stconf);
if (ret != 0) {
LWIP_ASSERT(“mbedtls_ssl_setup failed. \n”, ret == 0);
/* TODO: convert ‘ret’ to err_t */
return ERR_MEM;
}

/* the SSL context needs to know the input and output functions it needs to use for sending out network traffic. */
mbedtls_ssl_set_bio(&ssl, &mqtt_client, mbedtls_net_send, mbedtls_net_recv, NULL);

return 0; /* no error */

HI @urvishah
If you run the strerror too, you would see that error -17168 means “RSA - The private key operation failed : BIGNUM - Memory allocation failed”
This means that you don’t have enough memory for this RSA operation (server certificate verification)
This could ewither be a real memory issue on your platform, a memory leak in your application or some configuration issues.

In addition, I see you have change the profile to allow 1024 RSA bit key size. Note that RSA with 1024 bit key size is not considered secure.
Regards,
Mbed TLS Support
Ron

Hi Roneld01,

I increased controller’s heap memory size and problem get solved.

Thank you for the support.