I have compiled mbedtls for a K64F board with ARM Mbed OS. I am trying to run the examples that come in the dtls_client.c and dtls_server.c. Initially, on compiling the client I got this error:
"The NET and TIMING modules are not available for mbed OS - please use the network and timing functions provided by mbed OS"
I found that this was related to having this two lines active in the config.h file.
#define MBEDTLS_NET_C
#define MBEDTLS_TIMING_C
I commented them and the check that requires the values:
#if !defined(MBEDTLS_SSL_CLI_C) || !defined(MBEDTLS_SSL_PROTO_DTLS) || \
!defined(MBEDTLS_NET_C) || !defined(MBEDTLS_TIMING_C) || \
!defined(MBEDTLS_ENTROPY_C) || !defined(MBEDTLS_CTR_DRBG_C) || \
!defined(MBEDTLS_X509_CRT_PARSE_C) || !defined(MBEDTLS_RSA_C) || \
!defined(MBEDTLS_CERTS_C) || !defined(MBEDTLS_PEM_PARSE_C)
int main( void )
{
mbedtls_printf( "MBEDTLS_SSL_CLI_C and/or MBEDTLS_SSL_PROTO_DTLS and/or "
"MBEDTLS_NET_C and/or MBEDTLS_TIMING_C and/or "
"MBEDTLS_ENTROPY_C and/or MBEDTLS_CTR_DRBG_C and/or "
"MBEDTLS_X509_CRT_PARSE_C and/or MBEDTLS_RSA_C and/or "
"MBEDTLS_CERTS_C and/or MBEDTLS_PEM_PARSE_C not defined.\n" );
return( 0 );
}
Now I see that the compilation error I get is related to the redefinition of certain functions:
main.cpp:(.text.startup.main+0x18): undefined reference to `mbedtls_net_init'
main.cpp:(.text.startup.main+0xce): undefined reference to `mbedtls_net_connect'
main.cpp:(.text.startup.main+0x2fc): undefined reference to `mbedtls_net_recv_timeout'
main.cpp:(.text.startup.main+0x300): undefined reference to `mbedtls_net_send'
main.cpp:(.text.startup.main+0x304): undefined reference to `mbedtls_net_recv'
main.cpp:(.text.startup.main+0x308): undefined reference to `mbedtls_timing_get_delay'
main.cpp:(.text.startup.main+0x30c): undefined reference to `mbedtls_timing_set_delay'
main.cpp:(.text.startup.main+0x35c): undefined reference to `mbedtls_net_free'
How can I define this calls to make it work?
Already answered here: https://tls.mbed.org/discussions/platform-specific/compiling-mbeddtls-on-k64f:
Hi Jordi,
dtls_client.c and dtls_server.c are sample applications that arrive as part of the mbed TLS git repository.
Note that mbed-OS arrives with its own mbed TLS feature directory. To test TLS feature, you can use the TLS client app and modify it to fit DTLS protocol, and also for server. You can also look at this example for reference how to configure your dtls client and server.
I hope this helps
mbed TLS Team member
Ron
Related
I am trying to build custom Micropython firmware with ethernet support for STM32F407VE. I've forked working board without ethernet support and trying to modify it with ethernet support.
Things I have done:
defined MICROPY_HW_ETH_* variables in mpconfigboard.h
added MICROPY_PY_LWIP = 1 to mpconfigboard.mk
added ETH_* pins to pins.csv
added additional pins from Port F, G, H, I to pins.csv
Here is my modified board: https://github.com/untitledlt/BLACK_F407VE
Now when I'm trying to build it, i get:
In file included from eth.c:31:
eth.c: In function 'eth_mac_init':
eth.c:163:106: error: implicit declaration of function 'STATIC_AF_ETH_RMII_REF_CLK'; did you mean 'STATIC_AF_ETH_RMII__REF_CLK'? [-Werror=implicit-function-declaration]
mp_hal_pin_config_alt_static(MICROPY_HW_ETH_RMII_REF_CLK, MP_HAL_PIN_MODE_ALT, MP_HAL_PIN_PULL_NONE, STATIC_AF_ETH_RMII_REF_CLK);
^~~~~~~~~~~~~~~~~~~~~~~~~~
pin_static_af.h:42:48: note: in definition of macro 'mp_hal_pin_config_alt_static'
mp_hal_pin_config(pin_obj, mode, pull, fn_type(pin_obj)) /* Overflow Error => alt func not found */
^~~~~~~
cc1: all warnings being treated as errors
make: *** [build-BLACK_F407VE/eth.o] Error 1
What am I doing wrong here?
There was a bug (typo) in Micropython branch.
ETH_RMII__REF_CLK should be replaced with ETH_RMII_REF_CLK in ports/stm32/boards/stm32f405_af.csv file.
It's already fixed by https://github.com/micropython/micropython/pull/5308.
All Credit goes to Mike Causer.
Thanks, Mike!
i am trying to compile OpenSSL (1.0.2h) with FIPS module (2.0.12) from source in which i need to additionally restrict all ECDHE, DHE, DSA, DES and DH Ciphers as well as TLSV1 and TLSV1.1 Protocol. Here are the steps that i did:
> root#cc3:/home/openssl#wget https://openssl.org/source/openssl-1.0.2h.tar.gz
> root#cc3:/home/openssl#wget https://openssl.org/source/openssl-fips-2.0.12.tar.gz
> root#cc3:/home/openssl#tar -xvf openssl-fips-2.0.12.tar.gz
> root#cc3:/home/openssl#tar -xvf openssl-1.0.2h.tar.gz
> root#cc3:/home/openssl#cd openssl-fips-2.0.12 && ./config -d && make && make install
> root#cc3:/home/openssl#cd /openssl-1.0.2h && ./config no-ssl2 no-ssl3
no-tls1 no-ecdhe no-dsa no-des no-dh --prefix=/home/openssl/local fips
&& make depend && make && make install
After doing the above steps, openssl compiles successfully and i can access it from /home/openssl/local/bin. However, when checking the list of available ciphers, i can still see ECDHE, DHE, DHA etc. in the list and i can even use them and TLSV1 protocol to connect to any website using s_client. The point is that the flags for configuring OpenSSL are not working for me.
Can anyone help me in figuring out exactly what is it that i am missing here? Am i doing something wrong and if yes then what can be done to fix the problem so that the Cipher Suites and older TLS Protocols are restricted? I used the method provided here to get a list of all possible parameters for config.
Also, is there a way to selectively restrict AES and RSA Ciphers? For example is there a way to disable AES256-SHA but keep open AES128-SHA?
Thanks!
I am stuck with the installation of TPC-E EGen on Mac OS X (or Linux). I have downloaded the workload generator from TPC website : www.tpc.org/tpce/egen-download-request.asp but I failed to build it.
When using the following command for building the utilities:
cd Utilities/prj/GNUMake/
make
I receive the following error:
../../prj/GNUMake/Makefile.EGenUtilities:136: ../../obj/DateTime.d: No such file or directory
../../prj/GNUMake/Makefile.EGenUtilities:136: ../../obj/EGenVersion.d: No such file or directory
../../prj/GNUMake/Makefile.EGenUtilities:136: ../../obj/error.d: No such file or directory
../../obj/locking.d:3: *** missing separator. Stop.
which is not a meaningful error and does not help in how to resolve the issue.
Any help or hint would be appreciated.
I found the problems:
1- in EGenStandardTypes.h, I had to replace
\#if defined (__unix) || (_AIX)
by
\#if defined(unix) || defined(\__unix__) || defined(\__unix) || defined(\__APPLE__) && defined(\__MACH__) || (_AIX)
in order to make this part of code work for Mac OS X as well.
2- in DateTime.cpp and error.cpp
I had to comment out #error directive usages, as my current version of GCC did not support it.
We are using libwebsockets 1.3 in our ssl enabled web socket client program written in c, we are compiling on Centos 6.5 with openssl 1.0.1 installed, making a .so library which is later used in asterisk. The compilation goes fine but I'm getting this runtime error:
problem creating ssl context 336236705: error:140A90A1:lib(20):func(169):reason(161)
Going through libwebsockets code I spotted the part that is generating the error message (lib/ssl.c line 90):
/* basic openssl init */
SSL_library_init();
OpenSSL_add_all_algorithms();
SSL_load_error_strings();
openssl_websocket_private_data_index =
SSL_get_ex_new_index(0, "libwebsockets", NULL, NULL, NULL);
/*
* Firefox insists on SSLv23 not SSLv3
* Konq disables SSLv2 by default now, SSLv23 works
*/
method = (SSL_METHOD *)SSLv23_server_method();
if (!method) {
error = ERR_get_error();
lwsl_err("problem creating ssl method %lu: %s\n",
error, ERR_error_string(error,
(char *)context->service_buffer));
return 1;
}
context->ssl_ctx = SSL_CTX_new(method); /* create context */
if (!context->ssl_ctx) {
error = ERR_get_error();
lwsl_err("problem creating ssl context %lu: %s\n",
error, ERR_error_string(error,
(char *)context->service_buffer));
return 1;
}
Which according to examples I've seen on the web looks absolutely fine, I've been scratching my head, searching and trying everything for the past couple of days including reinstalling different versions of openssl, changing the code above, replacing SSLv23_server_method with other methods, etc... but can't get it to work, does anybody know where the problem might be?
Additional informaiton:
Using ERR_print_errors_fp() I get:
3077879544:error:140A90A1:lib(20):func(169):reason(161):ssl_lib.c:1802:
part of our code that calls libwebsocket_create_context looks like this:
int opts = 0;
const char *interface = NULL;
int listen_port;
memset(&wsInfo, 0, sizeof wsInfo);
listen_port = CONTEXT_PORT_NO_LISTEN;
wsInfo.port = listen_port;
wsInfo.iface = interface;
wsInfo.protocols = protocols;
wsInfo.extensions = libwebsocket_get_internal_extensions();
wsInfo.gid = -1;
wsInfo.uid = -1;
wsInfo.options = opts;
wsContext = libwebsocket_create_context(&wsInfo);
The program is compiled into an .so library and the library is used in our modified version of asterisk (which itself uses openssl as far as I know).
problem creating ssl context 336236705: error:140A90A1:lib(20):func(169):reason(161)
This may have helped:
$ openssl errstr 0x140A90A1
error:140A90A1:SSL routines:SSL_CTX_new:library has no ciphers
"library has no ciphers" is a sure sign the library was not initialized. See OpenSSL's wiki page on intializing the library at Library Initialization.
Since Asterisk is doing really clever things, you should check what else its doing. In particular, you should ensure its not using weak/wounded/broken protocols and cipher suites. An example of how to improve a security posture can be found at SSL/TLS Client. The sample ensure TLS 1.0 and above, and uses "strong" cipher suites.
I got this error too by using a library that used the boost asio.
The lib was compiled against openssl-1.0, while my binary was compiled against openssl-1.1.
Switching my binary to also use openssl-1.0 solved the issue for me.
The problem is asterisk overrides all openssl initialization functions including SSL_library_init() and OpenSSL_add_all_algorithms() in main\libasteriskssl.c and replaces them with dummy functions that do nothing, instead it defines an ast_ssl_init() which does all the initializations and is called once in main() in main/asterisk.c, my code happened to be before that call.
Too long for a comment, but:
First things first, let's eliminate your code. In the libwebsockets distribution, in test/test-server.c there is a test server that works with SSL. Does that work? If so, I'm guessing it's something you are doing in your code (in which case we are going to need some of your code). If not, I'm guessing it's your distribution.
Next, let's make that error message a bit more informative. Can you introduce ERR_print_errors_fp() to print SSL errors to stderr or similar, and tell us what it says?
This question already has answers here:
SSL_read failing with SSL_ERROR_SYSCALL error
(6 answers)
Closed 8 years ago.
Unfortunately, I was unable to find an answer to my question on google.
I have 2 devices with very similar hardware. On 1 device my SSL code runs flawlessly, on the second it doesn't. The major difference between both devices is the linux kernel version.
The code works on 2.6.24.6 but not 2.4.21 (Error when attempting to do handshake using ssl_connect() the error is SSL_ERROR_SYSCALL). My guess is, the latter kernel version is not supported.
Could someone point me out to where I can find more information about minimum system requirements for OpenSSL ?
In case, kernel 2.4.21 is not supported, is there any other library I could use?
To see a list of supported OSes and platforms, run Configure with a bogus a argument:
$ ./Configure XXX
Configuring for XXX
Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [experimental-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-dso] [no-krb5] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--test-sanity] os/compiler[:flags]
pick os/compiler from:
BC-32 BS2000-OSD BSD-generic32 BSD-generic64 BSD-ia64 BSD-sparc64 BSD-sparcv8
BSD-x86 BSD-x86-elf BSD-x86_64 Cygwin Cygwin-pre1.3 DJGPP MPE/iX-gcc OS2-EMX
OS390-Unix QNX6 QNX6-i386 ReliantUNIX SINIX SINIX-N UWIN VC-CE VC-WIN32
VC-WIN64A VC-WIN64I aix-cc aix-gcc aix3-cc aix64-cc aix64-gcc android
android-armv7 android-x86 aux3-gcc beos-x86-bone beos-x86-r5 bsdi-elf-gcc cc
cray-j90 cray-t3e darwin-i386-cc darwin-ppc-cc darwin64-ppc-cc
darwin64-x86_64-cc dgux-R3-gcc dgux-R4-gcc dgux-R4-x86-gcc dist gcc hpux-cc
hpux-gcc hpux-ia64-cc hpux-ia64-gcc hpux-parisc-cc hpux-parisc-cc-o4
hpux-parisc-gcc hpux-parisc1_1-cc hpux-parisc1_1-gcc hpux-parisc2-cc
hpux-parisc2-gcc hpux64-ia64-cc hpux64-ia64-gcc hpux64-parisc2-cc
hpux64-parisc2-gcc hurd-x86 iphoneos-cross irix-cc irix-gcc irix-mips3-cc
irix-mips3-gcc irix64-mips4-cc irix64-mips4-gcc linux-alpha+bwx-ccc
linux-alpha+bwx-gcc linux-alpha-ccc linux-alpha-gcc linux-aout linux-armv4
linux-elf linux-generic32 linux-generic64 linux-ia32-icc linux-ia64
linux-ia64-ecc linux-ia64-icc linux-ppc linux-ppc64 linux-sparcv8
linux-sparcv9 linux-x86_64 linux32-s390x linux64-s390x linux64-sparcv9 mingw
mingw64 ncr-scde netware-clib netware-clib-bsdsock netware-clib-bsdsock-gcc
netware-clib-gcc netware-libc netware-libc-bsdsock netware-libc-bsdsock-gcc
netware-libc-gcc newsos4-gcc nextstep nextstep3.3 osf1-alpha-cc osf1-alpha-gcc
purify qnx4 rhapsody-ppc-cc sco5-cc sco5-gcc solaris-sparcv7-cc
solaris-sparcv7-gcc solaris-sparcv8-cc solaris-sparcv8-gcc solaris-sparcv9-cc
solaris-sparcv9-gcc solaris-x86-cc solaris-x86-gcc solaris64-sparcv9-cc
solaris64-sparcv9-gcc solaris64-x86_64-cc solaris64-x86_64-gcc sunos-gcc
tandem-c89 tru64-alpha-cc uClinux-dist uClinux-dist64 ultrix-cc ultrix-gcc
unixware-2.0 unixware-2.1 unixware-7 unixware-7-gcc vos-gcc vxworks-mips
vxworks-ppc405 vxworks-ppc60x vxworks-ppc750 vxworks-ppc750-debug
vxworks-ppc860 vxworks-ppcgen vxworks-simlinux ...
NOTE: If in doubt, on Unix-ish systems use './config'.