Due to a security advisory released on August 28th 2017[1], it's
advisable to update mbedTLS to 2.6.0.
The vulnerability, identified as CVE-2017-14032, allows bypassing the
authentication of a peer when the authentication mode is configured as
optional (the default is secure, but applications might change the
setting.)
tests/crypto/mbedtls is passing.
[1] https://goo.gl/s4imN6
Signed-off-by: Leandro Pereira <leandro.pereira@intel.com>
This commit fixes the issue reported by Coverity: an array compared
against NULL is always false.
Coverity-CID: 143715
Coverity-CID: 143730
THis patch is ported from below patch:
https://gerrit.zephyrproject.org/r/#/c/7419/
Jira : ZEP-2468
Signed-off-by: Ramakrishna Pallala <ramakrishna.pallala@intel.com>
This commit fixes the issue reported by Coverity: an array compared
against NULL is always false.
Coverity-CID: 143687
Coverity-CID: 143737
Coverity-CID: 143740
This patch is ported from the below patch:
https://gerrit.zephyrproject.org/r/#/c/7418/
Jira: ZEP-2468
Signed-off-by: Ramakrishna Pallala <ramakrishna.pallala@intel.com>
Zeroing out 2*NUM_ECC_WORDS bytes starting from the `p2` pointer would
not only write 16 bytes to an 8-byte array allocated on the stack, but
also not clear out important arrays such as `_private` and `tmp`.
Moreover, no memory was cleared out before returning from the function,
and there are two exit points.
Properly memset() all private data and use an empty assembly block
referencing the memory region to avoid the memset() calls to be elided
by the compiler.
Ideally, in the future, all stack-allocated variables that contains
sensitive information should be marked with __attribute__((cleanup)), a
GCC extension that calls a function when the variable exits the scope.
This will not only reduce code size, but for other functions with
multiple exit points, also ensure that sensitive data is always
cleared.
Signed-off-by: Leandro Pereira <leandro.pereira@intel.com>
This mbedtls configuration creates support for DTLS. The values
are not optimized for RAM usage, but can be used for various
networking sample applications.
Signed-off-by: Jukka Rissanen <jukka.rissanen@linux.intel.com>
Version 0.2.7 of this library has been released on June 30th, and this
patch updates the library from version 0.2.6. A summary of changes
is available at the official repository at:
https://github.com/01org/tinycrypt/releases/tag/v0.2.7
There were some API changes in this version, so some tests are not
building: ccm_mode, ecc_dh, and ecc_dsa. Fixes to these tests and
subsystems affected by the changes will be provided.
Signed-off-by: Leandro Pereira <leandro.pereira@intel.com>
Signed-off-by: Anas Nashif <anas.nashif@intel.com>
This changes increases content buffer length
MBEDTLS_SSL_MAX_CONTENT_LEN to 1500 bytes so that we can use
this config for echo-client and echo-server network sample
applications which need to send bigger data than 1024 bytes.
Removing MBEDTLS_PEM_PARSE_C as we do not have any cert in PEM
format.
Place various MBEDTLS debug options behind CONFIG_MBEDTLS_DEBUG
Kconfig option which was introduced in previous commit.
Signed-off-by: Jukka Rissanen <jukka.rissanen@linux.intel.com>
Add Kconfig option that can be used to enable various debug
options in mbedtls config file.
Signed-off-by: Jukka Rissanen <jukka.rissanen@linux.intel.com>
As the mbedtls heap is global for the whole device, enable it
during device startup if configured so. The heap size can be
set in config file. There is no default value for the heap as
that depends very much on application needs.
Signed-off-by: Jukka Rissanen <jukka.rissanen@linux.intel.com>
TinyCrypt 0.2.5 was released a few hours ago:
https://github.com/01org/tinycrypt/releases/tag/v0.2.5
This patch updates some TinyCrypt files, solving the following issues:
- Decryptions using ccm mode can incorrectly fail
- Minor style issues in code documentation
Change-Id: I606cde179888aad7a52fd277d73973f2347d8882
Signed-off-by: Flavio Santes <flavio.santes@intel.com>
This is a sample app using ECJPAKE crypto algorithm on DTLS, using
mbedTLS, and native IP stack
Jira: ZEP-900
Jira: ZEP-943
Change-Id: Ica17b047aab11b989d3e8c8f6ac1b79e3041053a
Signed-off-by: Sergio Rodriguez <sergio.sf.rodriguez@intel.com>
This commit fixes the issue reported by Coverity: an array compared
against NULL is always false.
Coverity-CID: 143715
Coverity-CID: 143730
Change-Id: Ie3c87f892c2b2a337981125e2a92c37c579d4b38
Signed-off-by: Flavio Santes <flavio.santes@intel.com>
This commit fixes the issue reported by Coverity: an array compared
against NULL is always false.
Coverity-CID: 143687
Coverity-CID: 143737
Coverity-CID: 143740
Change-Id: Id94a144c47b3377876695e86da8c0c33a989ec99
Signed-off-by: Flavio Santes <flavio.santes@intel.com>
This commit fixes a bug found in CTR PRNG reseed function to correctly
use the seed material.
See: https://github.com/01org/tinycrypt
Commit: 601f6a26ab4505ac82a2fb13ae4757c2b8d3eba8
Change-Id: I01216484bd1ee980b0e2da7fdc752a952f217ef0
Signed-off-by: Flavio Santes <flavio.santes@intel.com>
This is a client that uses shared keys to execute a TLS handshake and read
info from the server, information on how to run the test is in the README
file.
Jira: ZEP-327
Jira: ZEP-340
Jira: ZEP-495
Origin: https://tls.mbed.org/download/start/mbedtls-2.3.0-apache.tgz
Change-Id: I10f31f3635f346936807b7c8470b3d6ffb3af283
Signed-off-by: Sergio Rodriguez <sergio.sf.rodriguez@intel.com>
This contain the run of the self test for the ciphers, crypto
algorithms and utilities of mbedTLS.
Jira: ZEP-327
Jira: ZEP-340
Jira: ZEP-495
Origin: https://tls.mbed.org/download/start/mbedtls-2.3.0-apache.tgz
Change-Id: Ic1bb30b7ed691f17421510cd914ec5096e4e70ea
Signed-off-by: Sergio Rodriguez <sergio.sf.rodriguez@intel.com>
Signed-off-by: Kuo-Lang Tseng <kuo-lang.tseng@intel.com>
Modify tinycrypt/Kconfig and tinycrypt/Makefile to include new CTR_PRNG
algorithm.
Jira: ZEP-590
Change-Id: Ied0288126c326d229508c05df4a256dea29cf740
Signed-off-by: Flavio Santes <flavio.santes@intel.com>
Update Zephyr's tinycrypt to version 2.0. This new version adds support
for ECC_DH, ECC_DSA, CMAC, & CTR_PRNG.
The following doxygen documentation typos were detected and fixed:
- ctr_prng.h:84 change plen by pLen,
- ctr_prng.h:109 change entropylen by entropyLen,
- sha256.h:110 change Sha256 by s.
ecc_dh.h is also modified to fix the discrepancy of ecc_make_key
definition and declaration.
See https://gerrit.zephyrproject.org/r/#/c/1982/
TC_FAIL and TC_SUCCESS defines are renamed in this new version of
tinycrypt, so net/bluetooth/hci_core.c, net/bluetooth/hci_ecc.c and
net/bluetooth/smp.c are also updated to reflect those changes.
Origin: https://github.com/01org/tinycrypt/archive/v0.2.0.tar.gz
Jira: ZEP-590
Change-Id: I85f4f0ab61d9b0be6a60897e2b96f245dd8c51a8
Signed-off-by: Flavio Santes <flavio.santes@intel.com>
Integrating the mbedTLS to the the build proccess with the minimal
Thread configuration.
Change-Id: I0ae191434d26890537a29a247c409228180410f3
Jira: ZEP-327
Jira: ZEP-340
Signed-off-by: Sergio Rodriguez <sergio.sf.rodriguez@intel.com>
Adding the mbedTLS configuration neede for Thread Network Protocol
support, this shows the modifications needed to be able to compile
on Zephyr
Jira: ZEP-327
Jira: ZEP-340
Change-Id: I80a8f44bc302905b7aa4568a40a6ca66dcaf42f8
Signed-off-by: Sergio Rodriguez <sergio.sf.rodriguez@intel.com>
Porting the mbedTLS library with the minimal Thread supported
configuration, this is a TLS/SSL library highly customizable.
This show the modifications needed to be able to compile on
Zephyr build enviroment which does not have a time.h header file,
so we avoid compilation errors.
Jira: ZEP-327
Jira: ZEP-340
Change-Id: I197ea96d33748c986c71fe5a0608225aee69c8b3
Signed-off-by: Sergio Rodriguez <sergio.sf.rodriguez@intel.com>
Adding the pristine version of mbed TLS to the zephyr source tree
as the initial step of porting the mbed TLS library to Zephyr
Jira: ZEP-327
Jira: ZEP-340
Origin: https://tls.mbed.org/download/start/mbedtls-2.3.0-apache.tgz
Change-Id: Iae814560310ebd00af52c7b1fb9d03195388fa0c
Signed-off-by: Sergio Rodriguez <sergio.sf.rodriguez@intel.com>
Signed-off-by: Kuo-Lang Tseng <kuo-lang.tseng@intel.com>
Tinycrypt is maintained at github and thus should be treated as an
external library and hosted under ext/.
Change-Id: I4c4a3bcdacf01d4922919e5ea1f9dec21a19cd37
Signed-off-by: Anas Nashif <anas.nashif@intel.com>
