Re: [mbed-tls] Request for Support [Issue : Webserver handshake failing with self-signed certificate] - mbed-tls

7 Jun 2021


      Hi Selin,
Another thing to check is that the stack is large enough. Stack
overflows can sometimes cause weird behavior.
Other than that, I'm afraid I can't think of a reason why there would be
an infinite loop involving mbedtls_mpi_cmp_mpi. To go further, I think
you need to trace the program in a debugger, figure out what arguments
are being passed to the functions, and where the infinite loop is.
Best regards,
-- 
Gilles Peskine
Mbed TLS developer

On 26/05/2021 10:24, Selin Chris via mbed-tls wrote:
> Hi Gilles,
>
> Thanks for the quick reply.
>
> I migrated to version 2.16, and I have seen the same issue is still
> there. Moreover, we have reseeded the RNG, still issue is there.
>
>  
>
> I created a client and it's working fine, it's able to handshake and
> send data to the server. Only problem is server communication where
> control is going in infinite loop while creating server key exchange.
> As you asked for the call stack of the loop, I am attaching the call
> stack with this mail.
>
> Please support us.
>
>  
>
> Thank you.
>
>
> Regards,
>
> Selin.
>
>
>
> On Fri, May 21, 2021 at 5:30 PM
> <mbed-tls-request@lists.trustedfirmware.org
> mailto:mbed-tls-request@lists.trustedfirmware.org> wrote:
>
>     Send mbed-tls mailing list submissions to
>             mbed-tls@lists.trustedfirmware.org
>     mailto:mbed-tls@lists.trustedfirmware.org
>
>     To subscribe or unsubscribe via the World Wide Web, visit
>            
>     https://lists.trustedfirmware.org/mailman/listinfo/mbed-tls
>     https://lists.trustedfirmware.org/mailman/listinfo/mbed-tls
>     or, via email, send a message with subject or body 'help' to
>             mbed-tls-request@lists.trustedfirmware.org
>     mailto:mbed-tls-request@lists.trustedfirmware.org
>
>     You can reach the person managing the list at
>             mbed-tls-owner@lists.trustedfirmware.org
>     mailto:mbed-tls-owner@lists.trustedfirmware.org
>
>     When replying, please edit your Subject line so it is more specific
>     than "Re: Contents of mbed-tls digest..."
>
>
>     Today's Topics:
>
>        1. Re: Request for Support [Issue : Webserver handshake failing
>           with self-signed certificate] (Gilles Peskine)
>
>
>     ----------------------------------------------------------------------
>
>     Message: 1
>     Date: Thu, 20 May 2021 15:13:54 +0200
>     From: Gilles Peskine <gilles.peskine@arm.com
>     mailto:gilles.peskine@arm.com>
>     To: mbed-tls@lists.trustedfirmware.org
>     mailto:mbed-tls@lists.trustedfirmware.org
>     Subject: Re: [mbed-tls] Request for Support [Issue : Webserver
>             handshake failing with self-signed certificate]
>     Message-ID: <93c3cd71-bdc1-c3ec-4bbc-89ff995a8444@arm.com
>     mailto:93c3cd71-bdc1-c3ec-4bbc-89ff995a8444@arm.com>
>     Content-Type: text/plain; charset=utf-8
>
>     Hi Selin,
>
>     A possible problem could be a misconfigured random generator. However
>     this is purely speculation. Can you get a stack trace? Finding the
>     root
>     cause requires finding where mbedtls_mpi_cmp_mpi is called.
>
>     Please note that Mbed TLS 2.16.3 has known bugs and
>     vulnerabilities. You
>     should upgrade to the latest bug-fixing version of the 2.16
>     branch, 2.16.10.
>
>     -- 
>     Gilles Peskine
>     Mbed TLS developer
>
>     On 20/05/2021 13:06, Selin Chris via mbed-tls wrote:
>     >
>     > Hi,
>     >
>     > Thank you for adding me to the mbed-tls mailing list.
>     >
>     > We have created a self-signed certificate with ECC key of
>     > MBEDTLS_ECP_DP_SECP256R1 type, since it is a self-signed certificate
>     > after we send the certificate to chrome from our web server it shows
>     > not trusted and goes to the page where we need to manually proceed
>     > with the acceptance of the certificate to allow further
>     communication.
>     > After this we again have to perform handshake for which we need to
>     > prepare the server key exchange, while preparing the server key
>     > exchange we notice that it is infinitely calling the
>     > mbedtls_mpi_cmp_mpi() function in bignum.c and the execution is not
>     > able to proceed hereafter. Sometimes we also see that when executing
>     > ssl_prepare_server_key_exchange() function in ssl_srv.c we find
>     > ciphersuite_info pointer as null and the program goes into data
>     panic
>     > due to that. We have checked our stacks and not seen any sign of
>     > corruption.
>     >
>     > The mbedtls version that we are using is mbedtls-2.16.3.
>     > Please find the attached wireshark trace during this scenario.
>     The IP
>     > 192.168.2.67 corresponds to our webserver and 192.168.2.100 the pc
>     > with the browser.
>     >
>     > Please let us know the root-cause of the issue and the actions to be
>     > taken to fix this - can you please expedite as this is a blocking
>     > issue in our project.
>     >
>     > Thanks for the support.
>     >
>     > Regards,
>     > Selin.
>     >
>     >
>     >
>
>
>
>     ------------------------------
>
>     Subject: Digest Footer
>
>     mbed-tls mailing list
>     mbed-tls@lists.trustedfirmware.org
>     mailto:mbed-tls@lists.trustedfirmware.org
>     https://lists.trustedfirmware.org/mailman/listinfo/mbed-tls
>     https://lists.trustedfirmware.org/mailman/listinfo/mbed-tls
>
>
>     ------------------------------
>
>     End of mbed-tls Digest, Vol 15, Issue 8
>     ***************************************
>
>