I simulated Amazon FreeRTOS with windows simulator by generating the key-certificate pair with AWS IoT. And I am using the same Key-certificate pair in the application code in the hardware.
During mbedtls_ssl_handshake(), the code hangs in client_hello() step. I went through code (step over), and I can see that sometimes it hangs while selecting a cipher, or sometimes in MBED_TLS_HELLO case in ssl_cli.c which is basically pointing to another state. I have also observed that, sometimes it hangs in random functions. I am not able to find the exact cause.
I ran out of ways to debug the code. Also, I have very little experience in embedded security.
FYI, I am using all new version AFR libraries (1.2.6). Currently using SD card to read-write credentials and EEPROM for the entropy generation.
I see that you have mentioned that your entropy source is the EEPROM here, so I have also now noticed you mentioned that in your other thread as well. Is your entropy source working as expected?
Each port using pkcs11 with mbedtls needs to have +mbedtls_hardware_poll+ defined correctly. If this function is not setup correctly, then we may have some undesired behavior. For example, if the same random number is provided each time, or each time the device is reset, then the “randomly” generated sequence number for the TCP/IP connection will be reused. This may cause the server to think that the current session is the same as before. The server will then return an error that the socket has already been closed.
When I navigate through the code during debug, I can see that a 32 Byte characters read/write to and from EEPROM is happening properly. And also,the check about ‘have at least one entropy source?’ returns positive. I can not check if it is different every time, as some characters are not displayed properly in the debug window(not a unicode character).
However, I have not implemented hardware poll yet. Is it a must even if I have an entropy source already?
FYI, the board is Atmel ATSAM4E, it does not have a hardware TRNG (True Random number generator). So, even if I want to implement the aws_hardware_poll function, is it possible?
Regards,
Sudarshan Bhat
Edited by: lesudu on May 30, 2018 10:13 AM
Edited by: lesudu on May 30, 2018 10:15 AM
Edited by: lesudu on May 30, 2018 1:37 PM
Update: I have checked the generated random numbers which are stored in EEPROM. The unicode characters look the same every time I reset the board. I am assuming same “random” number is generated every time. and I have no idea yet how to make it work!
It is mentioned in the mbedtls website that the pseudo random number generators cannot be used as they do not make a strong entropy source.
It says:
"4. How to implement the Non-Volatile seed entropy source
If a hardware platform does not have a hardware entropy source to leverage into the entropy pool, alternatives have to be considered. "
So, NV_seed method can be used as an alternative to mbedtls_hardware_poll()?
Can you please confirm?
If you are taking your device to production and there is not a TRNG on your device, then implementing the non-volatile seeding method is an alternative.
For lab testing and verifying your code, it is sufficient to use the pseudo random generator for the hardware poll.
I found out that the heap memory is running out when the program is running. The malloc failed hook is called.(I am using heap5).
I used static memories for mbedTLS with changes in config.h.
If I decrease the allocated memory for tasks to make memory available to heap, I get stack overflow error.
-The application hangs in different places each time (most times during server_hello)
You can adjust buffers in the bufferpool used by MQTT according to your application needs- bufferpoolconfigNUM_BUFFERS and bufferpoolconfigBUFFER_SIZE macros in aws_bufferpool_config.h file.