We Keep Coding

STM32Cube_FW_F7 SSL client mbedTLS FATAL_ALERT

I am trying to implement a SSL client into my IoT project. I have copied the SSL_Client example I found in STM32Cube_FW_F7_V1.15.0 into my project and was able to compile succesfully. However the SSL handshake fails with -0x7780 MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE. I attach the console debug output:
. Seeding the random number generator... ok
. Loading the CA root certificate ... ok (1 skipped)
. Connecting to tcp/www.google.de/443... ok
. Setting up the SSL/TLS structure... ok
. Performing the SSL/TLS handshake...=> handshake
client state: 0
=> flush output
<= flush output
client state: 1
=> flush output
<= flush output
=> write client hello
client hello, max version: [3:3]
dumping 'client hello, random bytes' (32 bytes)
0000: 88 d9 c4 b1 4f 82 ef a2 74 80 5c 6e 3f c4 29 ca ....O...t.\n?.).
0010: a4 8d 61 2b f6 37 ec 93 39 cb 7d d0 39 5a 67 9b ..a+.7..9.}.9Zg.
client hello, session id len.: 0
dumping 'client hello, session id' (0 bytes)
client hello, add ciphersuite: c02b
client hello, add ciphersuite: c031
client hello, add ciphersuite: c02d
client hello, add ciphersuite: 00a8
client hello, got 4 ciphersuites (excluding SCSVs)
adding EMPTY_RENEGOTIATION_INFO_SCSV
client hello, compress len.: 1
client hello, compress alg.: 0
client hello, adding server name extension: mbed TLS Server 1
client hello, adding signature_algorithms extension
client hello, adding supported_elliptic_curves extension
client hello, adding supported_point_formats extension
client hello, adding encrypt_then_mac extension
client hello, adding extended_master_secret extension
client hello, total extension length: 62
=> write handshake message
=> write record
output record: msgtype = 22, version = [3:3], msglen = 117
dumping 'output record sent to network' (122 bytes)
0000: 16 03 03 00 75 01 00 00 71 03 03 88 d9 c4 b1 4f ....u...q......O
0010: 82 ef a2 74 80 5c 6e 3f c4 29 ca a4 8d 61 2b f6 ...t.\n?.)...a+.
0020: 37 ec 93 39 cb 7d d0 39 5a 67 9b 00 00 0a c0 2b 7..9.}.9Zg.....+
0030: c0 31 c0 2d 00 a8 00 ff 01 00 00 3e 00 00 00 16 .1.-.......>....
0040: 00 14 00 00 11 6d 62 65 64 20 54 4c 53 20 53 65 .....mbed TLS Se
0050: 72 76 65 72 20 31 00 0d 00 0a 00 08 04 03 04 01 rver 1..........
0060: 03 03 03 01 00 0a 00 04 00 02 00 17 00 0b 00 02 ................
0070: 01 00 00 16 00 00 00 17 00 00 ..........
=> flush output
message length: 122, out_left: 122
ssl->f_send() returned 122 (-0xffffff86)
<= flush output
<= write record
<= write handshake message
<= write client hello
client state: 2
=> flush output
<= flush output
=> parse server hello
=> read record
=> fetch input
in_left: 0, nb_want: 5
in_left: 0, nb_want: 5
ssl->f_recv(_timeout)() returned 5 (-0xfffffffb)
<= fetch input
dumping 'input record header' (5 bytes)
0000: 15 03 03 00 02 .....
input record: msgtype = 21, version = [3:3], msglen = 2
=> fetch input
in_left: 5, nb_want: 7
in_left: 5, nb_want: 7
ssl->f_recv(_timeout)() returned 2 (-0xfffffffe)
<= fetch input
dumping 'input record from network' (7 bytes)
0000: 15 03 03 00 02 02 28 ......(
got an alert message, type: [2:40]
is a fatal alert message (msg 40)
mbedtls_ssl_handle_message_type() returned -30592 (-0x7780)
mbedtls_ssl_read_record() returned -30592 (-0x7780)
<= handshake
failed
! mbedtls_ssl_handshake returned -0x7780
I am thankfull for every hint in the right direction.

client hello, adding server name extension: mbed TLS Server 1
The client is using the SNI extension to indicate that it wants to talk to mbed TLS Server 1. The server on port 443 of www.google.de can respond as www.google.de, google.de and a bunch of other names that Google controls, but it does know about mbed TLS Server 1, so it sends a fatal alert indicating that it cannot complete the handshake.
You can use the sample client as is to talk to the sample server whose source code should be next to it. To contact another server, you need to change or remove the call to mbedtls_ssl_set_hostname.

How to establish a TLS coonection in TLS-PSK mode between a USIM sim card as client and a server?

I want to establish a tls connection between my sim card and a server in TLS-PSK mode. to achive this, as far as I understood, First I have to send a push command to open a BIP channel, then establish a CAT_TP link by sending another push command and then sim card will start the TLS handshake. So first I want to send a push command to my sim card to open a BIP channel. To do this, the push command will be OPEN CHANNEL command. But first I'm testing this process by sending the OPEN CHANNEL command to sim card via sim card reader to see how it works. I have a sample file which I'm following that first sends an envelope SMS-PP with the following content:
81488346 \
84 44\ ;Connection parameter tag
81 03 014001\ ;Command details TLV
82 02 8182\ ;Device identities TLV
35 01 03\ ;Bearer description TLV: default
39 02 0514\ ;Buffer size TLV
47 14 13696E7465726E65742D656E7472657072697365\ ;Network Access Name
0D 07 xxxxxxxxxxxxxx\ ;login name
0D 07 xxxxxxxxxxxxxx\ ;password
3C 03 021964\ ; UICC/terminal interface port number
3E 05 xxxxxxxxxx ;IP address
in sample file it ciphers the above content by sim card's keys and it's RAM TAR value and sends the ciphered data by an envelope command like this:
Command : 80 C2 00 00 8A
Input Data : D1 81 87 02 02 82 81 06 02 80 01 8B 7D 40 05 81
: 12 50 F3 96 F6 22 22 22 22 22 22 22 6D 02 70 00
: 00 68 15 16 39 12 12 00 00 01 F0 BD C0 49 B4 0C
: EB A9 7C 4B 04 32 17 BE A7 2F DA AC 70 93 36 73
: 83 FD AC 64 CA 9B 34 9C 2B E6 31 24 A0 D5 11 09
: 00 3E E3 F5 43 4B 55 77 98 E5 08 40 A4 CE A9 52
: 3E E1 38 6B 44 AC 73 1E 3B CD 49 32 92 B2 C3 22
: 25 02 68 90 FD F5 06 23 97 0D BD 5B 1D DE 25 F1
: FD 4C 75 C8 37 AC B0 15 05 25
Then it fetches the push sms via a FETCH command and after that get the terminal response with TERMINAL RESPONSE command to see if everything went ok. and finally fetches the open channel with the FETCH command and it says once OPEN CHANNEL is done, card sends CLIENT HELLO to the server to start the TLS handshake.
Now I want to implement this but at the first step, where I should send the envelope, I expect to get 9146 as status word which means everything was ok. but I get 6200 which means "State of non-volatile memory is unchanged".
Why do I get this respnse? And basically what is the proper way to open a BIP channel and then stablish a CAT-TP link?

You should first send the TERMINAL PROFILE command. With this command, you'll let the UICC know what the terminal is capable of. In this command, you should indicate that the terminal is capable of handling PROACTIVE commands. You can read more about this in ETSI TS 102223

Trying to understand data in cross-reference (XRef) stream in PDF

I'm trying to read a PDF file that is linearized and uses cross-reference streams. I believe that I mostly understand what's happening except for the last two entries in the table. Those two, for objects 5 and 6, appear to be in use but show file offsets that vastly exceed the file size. Also, the PDF file I have doesn't even have objects number 5 or 6 in it.Here is the cross-reference stream:
4 0 obj
<</DecodeParms<</Columns 4/Predictor 12>>/Filter/FlateDecode/ID[<ED772C59D33BA74FA1DEE567740067A0><ED772C59D33BA74FA1DEE567740067A0>]/Info 6 0 R/Length 39/Root 8 0 R/Size 7/Type/XRef/W[1 3 0]>>stream
hfibb&F…ˆl&fit ¡ÿ"∏ôügÕ≤=‘
endstream
And here are the raw data after FlateDecode, arranged in rows. FlateDecode reports that 35 bytes of data were inflated.
02 00 00 00 00
02 01 19 87 6b
02 00 00 0d 67
02 00 00 01 8c
02 00 00 01 0b
02 01 e7 6a 99
02 00 00 00 01
I also applied a PNG Predictor function (up) which yielded 7 rows of 4 bytes each:
00 00 00 00
01 19 87 6b
01 19 94 d2
00 00 0e f3
00 00 02 97
01 e7 6b a4
01 e7 6a 9a
Row 0 is all zero, check. The offsets for object 1 and 2 do in fact address object 1 and 2 in the PDF file. So far, so good. Object 3 is marked unused, and for sure there is no object 3 in the PDF file.
But then, I'm a little confused that object 4, this cross-reference stream, is marked as unused. Still, since it is object 4 that I am parsing, I've clearly had no difficulty finding it.But where I am completely confused are the rows for object 5 and 6. The "01" in the first column tells me that they are in use. But their offsets exceed the size of the entire file, and in any case, there are no object 5 nor 6 in the file. The Size entry in the dictionary clearly has a value of 7, telling me the table should contain data for objects 0 thru 6. After filtering, I have 28 bytes of data, which makes sense for seven rows of four bytes each.Why are entries for 5 and 6 there at all? And, given that they are there, why are they marked as "in use" with apparently nonsense offsets?The file seems valid. Both Adobe Illustrator and Acrobat Reader open it without complaint. I haven't found anything in the PDF spec about special treatment for the last two rows of an Xref stream. What am I missing?

You interpret the predictor to add the current input row and the previous input row to retrieve the current data row. Shouldn't you add the current input row and the previous data row? That would change results for object 3 onward:
02 00 00 00 00 00 00 00 00
02 01 19 87 6b 01 19 87 6b
02 00 00 0d 67 01 19 94 d2
02 00 00 01 8c 01 19 95 5e
02 00 00 01 0b 01 19 96 69
02 01 e7 6a 99 02 00 00 02
02 00 00 00 01 02 00 00 03
Now objects 3 and 4 have proper offsets matching the data from your pastebin paste and objects 5 and 6 would be marked as objects in object streams.

Unblock code PIN with APDU commands: error "67 00" --> Wrong length

By using WinsCard.dll, I want to use APDU commands to reset PIN code and set a new into the smartcard. But when I launch these commands, I obtain error "67 00" ("Wrong length").
My APDU commands:
// First command, I verify the code PUK (return "90 00")
00 20 00 02 08 36 35 32 34 39 38 37 36
// Second command, I try to set a new code PIN into the card
00 2C 03 01 0C 36 35 32 34 39 38 37 36 31 32 33 34
For second command:
36 35 32 34 39 38 37 36 -> code PUK
31 32 33 34 -> new code PIN
After some searches, the only explanation that I have found is that the "Lc" parameter was wrong. But, in my case, it is equal to "0C", and the length of my data is "0C".
So, I don't understand where is my error.
Have you got an idea?
Thank you very much for your help!
Note:
If I reset the code PIN without put a new PIN (it restores previous code PIN), it works fine:
00 20 00 02 08 31 38 39 30 31 36 39 32
// Reset code PIN
00 2C 03 01 00

Using the RESET RETRY COUNTER command (INS = 0x2C) with P1 = 0x03 means that you want to reset the retry counter without setting new reference data (i.e. a new PIN). If you want to set new reference data (a new PIN) when resetting the retry counter, you could try (depending on what your card supports)
P1 = 0x00 (for the format you tried):
00 2C 00 01 0C 36 35 32 34 39 38 37 36 31 32 33 34
P1 = 0x02 (only the new reference data is sent):
00 2C 02 01 04 31 32 33 34

Your length should be 0x10. Plz refer below example:
A0 2C 00 01 10 3636303535333132 31323334 FFFFFFFF
Command : A0 2C 00 01 10
Input Data : 36 36 30 35 35 33 31 32 31 32 33 34 FF FF FF FF
Output Data : none
Status : 90 00
here 3636303535333132 is unblock key and 31323334 is new pin

iBeacon continuing to send advertising packets in background, but being lost by another ranging device

Original question for reference - see update below
This is an extremely strange problem.
I've got an iBeacon broadcasting from Phone A. Everything I've read seems to say that it's not possible for a phone to continue to broadcast as an iBeacon once it has entered the background. However, I am able to lock my phone, and I continue to see (using LightBlue or a raspberry pi) iBeacon advertising packets emitted, with identical manufacturerData. Indefinitely. Nothing about the packet is altered in any way when the phone enters the background.
Phone B is listening for beacon region enter/exit events, and ranging on enter.
Whenever Phone A is put into the background, Phone B loses it - first the number of beacons being ranged drops to 0, then the region is exited. However, I can inspect the bluetooth packets that continue to be sent across the air and clearly see that they are identical to the ones that were send when the app was in the foreground. Even the transmission rate seems to be about the same.
So my question is this: If Phone B is continuing to receive identical iBeacon-formatted advertising packets from Phone A, how does Phone B decide that it has left the region defined by those packets? None of the actual data sent over the air appears to change, so what is the loss of beacon based on?
Any insight you can give is much appreciated!
Update
Per #davidyoung's suggestion, I used hcidump on the pi to inspect the packets. I also left one of my estimotes on for reference (mac address DA:E3:1D:A7:DE:E8). My device has mac 72:F3:FC:7E:2F:DA Two cases:
Started with the app in the foreground:
pi#raspberrypi ~ $ sudo hcidump --raw & sudo hcitool lescan
[1] 2228
HCI sniffer - Bluetooth packet analyzer ver 2.4
LE Scan ...
device: hci0 snap_len: 1028 filter: 0xffffffff
DA:E3:1D:A7:DE:E8 (unknown)
> 04 3E 2A 02 01 00 01 E8 DE A7 1D E3 DA 1E 02 01 06 1A FF 4C
00 02 15 B9 40 7F 30 F5 F8 46 6E AF F9 25 55 6B 57 FE 6D DE
E8 1D A7 B6 BA
DA:E3:1D:A7:DE:E8 estimote
> 04 3E 25 02 01 04 01 E8 DE A7 1D E3 DA 19 09 09 65 73 74 69
6D 6F 74 65 0E 16 0A 18 E8 DE A7 1D E3 DA B6 E8 DE A7 1D BB
72:F3:FC:7E:2F:DA (unknown)
> 04 3E 2A 02 01 00 01 DA 2F 7E FC F3 72 1E 02 01 1A 1A FF 4C
00 02 15 B9 40 7F 30 F5 F8 46 6E AF F9 25 55 6B 57 FE 6D AE
85 69 C6 B6 A7
72:F3:FC:7E:2F:DA (unknown)
> 04 3E 0C 02 01 04 01 DA 2F 7E FC F3 72 00 A8
Started with the app in the background:
pi#raspberrypi ~ $ sudo hcidump --raw & sudo hcitool lescan
[1] 2234
HCI sniffer - Bluetooth packet analyzer ver 2.4
LE Scan ...
device: hci0 snap_len: 1028 filter: 0xffffffff
DA:E3:1D:A7:DE:E8 (unknown)
> 04 3E 2A 02 01 00 01 E8 DE A7 1D E3 DA 1E 02 01 06 1A FF 4C
00 02 15 B9 40 7F 30 F5 F8 46 6E AF F9 25 55 6B 57 FE 6D DE
E8 1D A7 B6 B5
DA:E3:1D:A7:DE:E8 estimote
> 04 3E 25 02 01 04 01 E8 DE A7 1D E3 DA 19 09 09 65 73 74 69
6D 6F 74 65 0E 16 0A 18 E8 DE A7 1D E3 DA B6 E8 DE A7 1D B6
72:F3:FC:7E:2F:DA (unknown)
> 04 3E 0F 02 01 00 01 DA 2F 7E FC F3 72 03 02 01 1A A6
72:F3:FC:7E:2F:DA (unknown)
> 04 3E 0C 02 01 04 01 DA 2F 7E FC F3 72 00 A6
I don't see any new packets being emitted when I take the app from the background to the foreground (or vice-versa), but I do see a different (much smaller) packet steadily emitted when the app is in the background. This smaller packet is only present when my app is in the background, not on a clean boot of the device.
So it would seem that although the app does continue to emit BTLE packets in the background, they're much smaller and not ibeacon-compliant. This would be consistent with what I've read around the CoreBluetooth "overflow" area when advertising in the background.

I suspect the packets you are seeing in LightBlue and on the Raspberry Pi are not the iBeacon advertisement. It may be that they were coming from a different hardware device or a different app on iOS.
Understand that iOS does allow you to advertise in the background, just not iBeacon advertisements. So if you have another app running that is advertising Bluetooth LE services its advertisements will always get picked up by LightBlue and a Raspberry Pi regardless of whether your app is in the foreground or not.
Since LightBlue does not show you the packet detail, there is no way to tell with this tool if the advertisements are from an iBeacon or not. But you can tell with a Raspberry Pi. Like this:
Start an hcidump in the background showing you raw BLE packets
sudo hcidump --raw &
Start a BLE scan
sudo hcitool lescan
This will give you a unique list of all BLE advertisement packets seen.
Try running this with your app in the background, then bring it to the foreground to see what additional advertisements are seen if any. I suspect you will see one additional advertisement, which is your iBeacon advertisement (look closely for your ProximityUUID), and you will only see it when your app is in the foreground.