Topic: 308 Error in wolfSSL_accept()

Hi,

my aim is to establish a CoAP Server with DTLS over UDP on an Arduino MKR1000. I used microcoap for CoAP and a given example UDP implementation from Arduino. To enable DTLS I followed the wolfSSL DTLS Server example
I merged this example to the UDP implementation from Arduino. Before this I ported wolfssl to the Arduino and implemented the random and xtime function.

My problem is, that the handshake fails, when I establish a connection with a CoAPS client to my CoAP server. On the server I get the UDP package and I could parse it. But when I call wolfSSL_accept(ssl) it returns -1 and the error code is 308 - SOCKET_ERROR_E. The ssl parameter is not null. The source of the error is, when the following method gets called in internal.c:

in = Receive(ssl,
                     ssl->buffers.inputBuffer.buffer +
                     ssl->buffers.inputBuffer.length,
                     inSz);
        if (in == -1)
            return SOCKET_ERROR_E;

Why did I get this error?

Thanks,
Thomas

Share

Re: 308 Error in wolfSSL_accept()

Hi Thomas,

-1 indicates that wolfSSL attempted to read from the socket and the read failed outright. Receive can return a non-read (0) which is not a failure, it is a successful read, but 0 bytes were waiting to be read. A -1 indicates an issue with the Receive methodology altogether, either the socket failed to be opened in the first place or there is a fundamental underlying error.

Have you registered your own IO callbacks or are you using our default "EmbedReceiveFrom" and "EmbedSendTo" functions?

Receive just calls whatever IOCallback Receive function was loaded with wolfSSL_SetIORecv API. If the user has not defined "WOLFSSL_USER_IO" and set their own callback function, then our default methods are loaded.

There are a number of reasons this could fail. What TCP/IP stack are you using? Are you checking all the return values when creating the socket? Are you confident the socket was successfully opened for TCP prior to calling wolfSSL_connect on the file descriptor?


Regards,

Kaleb

Re: 308 Error in wolfSSL_accept()

Hi Kaleb,

thank you for your answer. You were right WOLFSSL_USER_IO was defined in the settings. I implemented my own IO callbacks and now the Socket processes the values correctly. Your questions:

What TCP/IP stack are you using?

I use WiFi - IP - UDP.

Are you checking all the return values when creating the socket?

Yes I do.

Are you confident the socket was successfully opened for TCP prior to calling wolfSSL_connect on the file descriptor?

Here I´m not shure what you mean.

A new error occured in method ProcessReply from internal.c. When
GetRecordHeader has been called it returns: SEQUENCE_ERROR -370

case getRecordLayerHeader:

            ret = GetRecordHeader(ssl, ssl->buffers.inputBuffer.buffer,
                                       &ssl->buffers.inputBuffer.idx,
                                       &ssl->curRL, &ssl->curSize);

The 370 error comes from the following position:

#ifdef WOLFSSL_DTLS 
    myRecordBuffer = DtlsCheckWindow(ssl);
    if (IsDtlsNotSctpMode(ssl) &&
        (!DtlsCheckWindow(ssl) ||
         (ssl->options.handShakeDone && ssl->keys.curEpoch == 0))) {
        
            return SEQUENCE_ERROR;
    }
#endif

If gets hit because IsDtlsNotSctpMode(ssl) == 1 and !DtlsCheckWindow(ssl) == 0.

Please help me.

Regards,
Thomas

Share

Re: 308 Error in wolfSSL_accept()

Hi Extremee,

Here I´m not shure what you mean.

IE checking the return codes on file descriptor/socket creation, something like this:

    /* internet address family, stream based tcp, default protocol */
    sockfd = socket(AF_INET, SOCK_STREAM, 0);
    if (sockfd < 0) {
        printf("Failed to create socket. errono: %i\n", errno);
        return EXIT_FAILURE;
    }

It looks like everything is working so I will assume the answer here is also yes, you are confident the socket was created prior to calling connect on it.

DTLS uses sequence numbers during the handshake due to the following reason:

When doing a handshake using an unreliable protocol such as UDP there still needs to be a way to guarantee all the handshake packets arrive. To that extent DTLS must send a sequence number when transmitting flights of the handshake. If a flight fails to arrive at the destination that flight will be re-transmitted similar to how TCP is a guaranteed protocol (guarantees all packets arrive or if dropped will re-send until all have arrived). DTLS has to mimick this behavior for the handshake portion of a connection only. To that end it checks if a flight arrives out of order. This is what you have encountered, a flight arrived out of order or with an incorrect sequence number.

Are you implementing the client or the server side?

Which end point are you connecting to? Is it a public endpoint that I could test myself to test interop with that endpoint and the wolfSSL DTLS implementation?

If it is not possible for me to test directly, could you capture a wireshark trace of the connection attempt and send me the pcap for analysis? (If the pcap will not attach to the forum post please email directly to support@wolfssl.com with your forum user name and a link to this post to identify which post the pcap belongs to)


Warm Regards,

Kaleb

Re: 308 Error in wolfSSL_accept()

Hi Kaleb,

thank you for your reply.

I am implementing the server side.

The wireshark capture is the attempt to connect a client to the server. My server sends nothing back because it fails during the ssl_accept.

The DtlsCheckWindow returns now 1 but only because ssl->keys.curEpoch == ssl->keys.nextEpoch are 0. After this it runs into UNKNOWN_RECORD_TYPE.

Regards
Thomas

Post's attachments

capture.pcapng 92.45 kb, 1 downloads since 2017-01-25 

You don't have the permssions to download the attachments of this post.

Share

Re: 308 Error in wolfSSL_accept()

Hi Extremee,

Review of the wireshark shows some DTLS 1.2 client Hello packets but no other udp traffic at all.

Honestly it looks like the server just does not have DTLS enabled. Can you confirm if "WOLFSSL_DTLS" is defined in your configuration anywhere?

Did you use a datagram socket (udp) on the server?

sockfd = socket(AF_INET, SOCK_DGRAM, 0);

Could you send your configuration settings?

For a simple DTLS server example please see this project: https://github.com/wolfSSL/wolfssl-exam … ver-dtls.c


This overview may also be helpful: https://github.com/wolfSSL/wolfssl-exam … dp-dtls.md


Warm Regards,

Kaleb

Re: 308 Error in wolfSSL_accept()

Hi Kaleb,

yes I use UDP.

My settings:

#ifdef WOLFSSL_ARDUINO
    #define WOLFSSL_DTLS
    #define USER_TIME
    #define    NO_INLINE
    #define NO_WRITEV
    #define NO_WOLFSSL_DIR
    #define SINGLE_THREADED
    #define NO_DEV_RANDOM
    #define WOLFSSL_USER_IO
    #define HAVE_ECC
    #define NO_DH
    #define NO_SESSION_CACHE
    #define USE_SLOW_SHA
#endif

I used this tutorial to transform your dtls server example to my arduino.

Here is my code on Arduino. I attached the wolfSSL_write function to my code. Before this I skipped everything in the code when ssl_accept failed. Now the server is sending a client hello back. A new wireshark capture is also attached. But I still get 370 or 311 error in ssl_accept, depends on what the client writes in the epoch field.

Here is my code from the arduino sketch:

void loop()
{
  int sz;
  // With awaitDataGramm() I create the socket, set options, bind the socket and wait for a client. The client arrival is      handled by a Arduino WiFiInterface
  int socketCheck = udp.awaitDataGramm(5684);
  Serial.println("SocketCheck ");
  Serial.print(socketCheck);

 //Returns the created socketnumber
  Serial.println(udp.getListenSocket());
  while (cleanup != 1) {
 // udp.parsePacket() is everytime called when a new package is arriving. And it stores the clientIP, ClientPort.
    if ((sz = udp.parsePacket()) > 0) {
//Storing clientIP, clientPort and Socket for wolfssl.
      getIpAndPort(udp.remoteIP(), udp.remotePort(), udp.getListenSocket());

      if (( ssl = wolfSSL_new(ctx) ) == NULL) {
        Serial.println("wolfSSL_new error.\n");
        cleanup = 1;
      }
      if (wolfSSL_set_fd(ssl, udp.getListenSocket()) != SSL_SUCCESS) {
        Serial.println("set_fd error");
        cleanup = 1;
      }
      int result;
//Accept always runs into an error. 
//When client sets epoch time field to 0 a 311 error results.
//When client sets epoch time field > 0, wolfssl is looping in processReply() because always getRecordHeader has the SEQUENCE_ERROR as the return value
      if ((result = wolfSSL_accept(ssl)) != SSL_SUCCESS) {
        Serial.println(result);
        int err = wolfSSL_get_error(ssl, 0);
        Serial.println(err);
        Serial.println("SSL_accept failed.\n");
        cleanup = 1;
      }
      float temperature = readTemp();
      Serial.println(temperature);
      static char temp[4];
      sprintf(temp, "%f", temperature);

      int checkRead;
      if ((checkRead = wolfSSL_read(ssl, packetbuf, sizeof(packetbuf))) < 0) {
        Serial.println("Read failed");
      }
      int checkWrite;
      if ((checkWrite = wolfSSL_write(ssl, temp, sizeof(temp))) < 0) {
         Serial.println("Write failed");
      }
}

Regards
Thomas

Post's attachments

captureHandshake.pcapng 1.61 kb, 2 downloads since 2017-01-26 

You don't have the permssions to download the attachments of this post.

Share

Re: 308 Error in wolfSSL_accept()

Hi Extremee,

I'm looking into the reasons you might be experiencing the UNKNOWN_RECORD_TYPE in header or SEQUENCE_ERROR but the wireshark is not revealing. All the header information in the capture you sent looks correct. Is there something that was stripped out when the capture was filitered? Is there some other data we're missing?

Could you provide some details on the project you are working on and the end goals?


Thanks,

Kaleb

Re: 308 Error in wolfSSL_accept()

Hi Kaleb,

as I wrote in my first post. I want to establish a DTLS-over-CoAP server on the Arduino MKR1000. This project is the last part of my bachelor thesis.

Today i thought to configure the library new. I got stuck on an error way before the other issues. Now wolfSSL_new() fails with 173 - BAD_FUNC_ARG. I don´t know how this would go to an end.. please help me again.

Regards
Thomas

Share

Re: 308 Error in wolfSSL_accept()

Hi Extremee,

What changes were made during "configure the library new" (re-configure)? Did you add new defines or remove defines, a combination of both?

What are your settings now?

I apologize for answering your question with questions so often but it's difficult to address what the issue might be without all the information.


- Kaleb

Re: 308 Error in wolfSSL_accept()

Hi Kaleb,

that's the point i changed nothing. I just downloaded wolfssl again and configured it as I had it before. Then I replaced the old library with the new ohne.

The settings are the same which I posted before.

I know and I thank you, that you spend your time on my issues. Do you have an idea what i could try?

Regards
Thomas

Share

Re: 308 Error in wolfSSL_accept()

Hi Kaleb,

I found the issue 173 - BAD_FUNC_ARG. It must be something with generated seed in random.c. I implemented this with a template from arduino. This one fails at ssl_new(). When I just return 0 - (I have read that somewhere) - in the generated seed the error is than 370 in ssl_accept().
Could this be the failure? What should I write in the generated seed, when the one from arduino is failing?

Regards,
Thomas

Share