Rebuild the platform espressif32 with DTLS for Arduino framework

maxgerhardt · October 27, 2019, 1:21pm

Ok what exactly did you execute to rebuild it “using ESP-IDF tools”?

This is -0x7100 and indicates bad input data.

Mbed-TLS/mbedtls/blob/b23abcb38df6b38a50fd5cbd2e409811b0dcc67e/include/mbedtls/ssl.h#L76


      
          #endif
          
          #if defined(MBEDTLS_USE_PSA_CRYPTO)
          #include "psa/crypto.h"
          #endif /* MBEDTLS_USE_PSA_CRYPTO */
          
          /*
           * SSL Error codes
           */
          #define MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE               -0x7080  /**< The requested feature is not available. */
          #define MBEDTLS_ERR_SSL_BAD_INPUT_DATA                    -0x7100  /**< Bad input parameters to function. */
          #define MBEDTLS_ERR_SSL_INVALID_MAC                       -0x7180  /**< Verification of the message MAC failed. */
          #define MBEDTLS_ERR_SSL_INVALID_RECORD                    -0x7200  /**< An invalid SSL record was received. */
          #define MBEDTLS_ERR_SSL_CONN_EOF                          -0x7280  /**< The connection indicated an EOF. */
          #define MBEDTLS_ERR_SSL_UNKNOWN_CIPHER                    -0x7300  /**< An unknown cipher was received. */
          #define MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN                  -0x7380  /**< The server has no ciphersuites in common with the client. */
          #define MBEDTLS_ERR_SSL_NO_RNG                            -0x7400  /**< No RNG was provided to the SSL module. */
          #define MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE             -0x7480  /**< No client certification received from the client, but required by the authentication mode. */
          #define MBEDTLS_ERR_SSL_CERTIFICATE_TOO_LARGE             -0x7500  /**< Our own certificate(s) is/are too large to send in an SSL message. */
          #define MBEDTLS_ERR_SSL_CERTIFICATE_REQUIRED              -0x7580  /**< The own certificate is not set, but needed by the server. */
          #define MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED              -0x7600  /**< The own private key or pre-shared key is not set, but needed. */

What is exactly the test firmware and against which server are you talking about? Note that the CONFIG_MBEDTLS_SSL_PROTO_DTLS will generate a ClientHello which wants a HelloVerifyRequest. If your server sends something else you get that error.

github.com

espressif/arduino-esp32/blob/91e095f5a76ec35f06c86689a87892425395b8db/tools/sdk/include/mbedtls/mbedtls/esp_config.h#L1248-L1266


      
          /**
           * \def MBEDTLS_SSL_DTLS_HELLO_VERIFY
           *
           * Enable support for HelloVerifyRequest on DTLS servers.
           *
           * This feature is highly recommended to prevent DTLS servers being used as
           * amplifiers in DoS attacks against other hosts. It should always be enabled
           * unless you know for sure amplification cannot be a problem in the
           * environment in which your server operates.
           *
           * \warning Disabling this can ba a security risk! (see above)
           *
           * Requires: MBEDTLS_SSL_PROTO_DTLS
           *
           * Comment this to disable support for HelloVerifyRequest.
           */
          #ifdef CONFIG_MBEDTLS_SSL_PROTO_DTLS
          #define MBEDTLS_SSL_DTLS_HELLO_VERIFY
          #endif

If you do not want that then you musn’t use the CONFIG_ macro but instead the direct collection of mbedtls macros, e.g.

build_flags = -D MBEDTLS_SSL_PROTO_DTLS -D MBEDTLS_SSL_DTLS_ANTI_REPLAY -D MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE -D MBEDTLS_SSL_DTLS_BADMAC_LIMIT

(no MBEDTLS_SSL_DTLS_HELLO_VERIFY included)