Fix Kconfig help sections and add spacing to be consistent across all
Kconfig file. In a previous run we missed a few.
Signed-off-by: Anas Nashif <anas.nashif@intel.com>
The previous default, "config-threadnet.h", is more or less arbitrary
choice made in a commit 312def2c78 1.5 years ago. In particular,
it's not related to Thread support in Zephyr per se (there was no
such support at that time).
It doesn't make sense to have a default intended for a particular,
not widely used (yet) protocol. Instead, the default should work
out of the box with a contemporary widely deployed arrays of TLS
servers, which are HTTPS server. config-mini-tls1_2.h works with
https://google.com, and by extension, with many other servers on
the Internet.
So, have that as the default, and let applications with special
needs to override that to what they need.
Addresses: #6132
Signed-off-by: Paul Sokolovsky <paul.sokolovsky@linaro.org>
This config enables TLS 1.2 (only), as its name suggests, and
contrary to the (copy-pasted) comments in the file header, so
update these comments.
Fixes: #6131
Signed-off-by: Paul Sokolovsky <paul.sokolovsky@linaro.org>
- Make half float encode/decode conditional
- src/cborpretty.c, src/cbortojson.c and src/cborvalidation.c
conditionally include math.h and half float type support
- Conditionally include math.h in src/compilersupport_p.h to avoid
newlib libc from getting compiled in
- Conditionally compile src/cborparser_dup_string.c if newlib libc is
compiled in
Signed-off-by: Vipul Rahane <vipulrahane@apache.org>
The TinyCBOR library is a small Concise Binary Object
Representation (CBOR) encoder and decoder library, optimized for
very fast operation with very small footprint.
Origin: TinyCBOR
License: MIT
URL: https://github.com/intel/tinycbor
Version: 0.5.0-beta1
commit: 497066ee87dd54341adaa1195bf15ad11ee33b20
Purpose: Introduction of TinyCBOR
Maintained-by: External
Signed-off-by: Vipul Rahane <vipulrahane@apache.org>
Due to a security advisory released on February 1st 2018[1], it's
advisable to update mbedTLS to 2.7.0.
The vulnerability, identified as CVE-2018-0488 and CVE-2018-0487, risk
remote code execution when truncated HMAC is enabled or when verifying
RSASSA-PSS signatures.
[1] https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2018-01Fixes: #6025
Signed-off-by: Kumar Gala <kumar.gala@linaro.org>
Kbuild supported CONFIG_MBEDTLS_LIBRARY and
CONFIG_MBEDTLS_INSTALL_PATH to allow users to link in an externally
built mbedtls. This was not ported over to CMake, causing build
failures when it was kconfig-enabled.
This patch implements this support. This support has been tested
as well as MBEDTLS_LIBRARY was tested in CI.
Signed-off-by: Sebastian Bøe <sebastian.boe@nordicsemi.no>
Signed-off-by: Ding Tao <miyatsu@qq.com>
CONFIG_MBEDTLS means you are using MBEDTLS
CONFIG_MBEDTLS_BUILTIN means you are using a built-in MDEDTLS
CONFIG_MBEDTLS_LIBRARY means you are using an external MBEDTLS
This patch ensures that you must select one or the other
implementation when MBEDTLS is enabled.
Tested by opening xconfig and observing that when MBEDTLS was enabled,
BUILTIN was automatically enabled, and a radio-button interface
existed to change the implementation.
Signed-off-by: Sebastian Bøe <sebastian.boe@nordicsemi.no>
Signed-off-by: Ding Tao <miyatsu@qq.com>
mbedTLS include directories will now default to be in the 'app'
include path when mbedTLS has been enabled.
Signed-off-by: Sebastian Bøe <sebastian.boe@nordicsemi.no>
The CoAP samples use an MBEDTLS config "config-coap.h" which could be
re-used by the LwM2M sample, except that most servers use a larger
maximum content length setting of 1500 bytes.
Let's add a CONFIG to set this for users of the CoAP lib and set the
CONFIG value for the samples to the 256 size currently used.
Signed-off-by: Michael Scott <michael@opensourcefoundries.com>
Version 0.2.8 of this library has been released on Aug 29, and this
patch updates the library from version 0.2.7. A summary of changes
is available at the official repository at:
https://github.com/01org/tinycrypt/releases/tag/v0.2.8
A number of the changes we already had in tree, so the import to sync
with v0.2.8 is pretty minor.
Signed-off-by: Kumar Gala <kumar.gala@linaro.org>
Introducing CMake is an important step in a larger effort to make
Zephyr easy to use for application developers working on different
platforms with different development environment needs.
Simplified, this change retains Kconfig as-is, and replaces all
Makefiles with CMakeLists.txt. The DSL-like Make language that KBuild
offers is replaced by a set of CMake extentions. These extentions have
either provided simple one-to-one translations of KBuild features or
introduced new concepts that replace KBuild concepts.
This is a breaking change for existing test infrastructure and build
scripts that are maintained out-of-tree. But for FW itself, no porting
should be necessary.
For users that just want to continue their work with minimal
disruption the following should suffice:
Install CMake 3.8.2+
Port any out-of-tree Makefiles to CMake.
Learn the absolute minimum about the new command line interface:
$ cd samples/hello_world
$ mkdir build && cd build
$ cmake -DBOARD=nrf52_pca10040 ..
$ cd build
$ make
PR: zephyrproject-rtos#4692
docs: http://docs.zephyrproject.org/getting_started/getting_started.html
Signed-off-by: Sebastian Boe <sebastian.boe@nordicsemi.no>
Mysterious TLS errors are printed if we try to work with too
small crypto buffer when https is enabled.
Signed-off-by: Jukka Rissanen <jukka.rissanen@linux.intel.com>
Set default MBEDTLS_HEAP_SIZE to 512 which fixes the driver Kconfig
dependency issues.
Signed-off-by: Ramakrishna Pallala <ramakrishna.pallala@intel.com>
This should clear up some of the confusion with random number
generators and drivers that obtain entropy from the hardware. Also,
many hardware number generators have limited bandwidth, so it's natural
for their output to be only used for seeding a random number generator.
Signed-off-by: Leandro Pereira <leandro.pereira@intel.com>
When default "n" is selected (as it is by default) this sets:
CONFIG_MBEDTLS_DEBUG="n"
When checked by the existing logic (example shown below) will always
be true and debug will be enabled all the time:
//#if defined(CONFIG_MBEDTLS_DEBUG)
Instead, let's change the config type to "bool" which will be
undefined when set to "n" (by default). The existing #if defined()
checks will work correctly.
NOTE: This fix saves a lot of binary space when MBEDTLS is enabled
due to the amount debug output being compiled in.
Signed-off-by: Michael Scott <michael.scott@linaro.org>
Due to a security advisory released on August 28th 2017[1], it's
advisable to update mbedTLS to 2.6.0.
The vulnerability, identified as CVE-2017-14032, allows bypassing the
authentication of a peer when the authentication mode is configured as
optional (the default is secure, but applications might change the
setting.)
tests/crypto/mbedtls is passing.
[1] https://goo.gl/s4imN6
Signed-off-by: Leandro Pereira <leandro.pereira@intel.com>
This commit fixes the issue reported by Coverity: an array compared
against NULL is always false.
Coverity-CID: 143715
Coverity-CID: 143730
THis patch is ported from below patch:
https://gerrit.zephyrproject.org/r/#/c/7419/
Jira : ZEP-2468
Signed-off-by: Ramakrishna Pallala <ramakrishna.pallala@intel.com>
This commit fixes the issue reported by Coverity: an array compared
against NULL is always false.
Coverity-CID: 143687
Coverity-CID: 143737
Coverity-CID: 143740
This patch is ported from the below patch:
https://gerrit.zephyrproject.org/r/#/c/7418/
Jira: ZEP-2468
Signed-off-by: Ramakrishna Pallala <ramakrishna.pallala@intel.com>
Zeroing out 2*NUM_ECC_WORDS bytes starting from the `p2` pointer would
not only write 16 bytes to an 8-byte array allocated on the stack, but
also not clear out important arrays such as `_private` and `tmp`.
Moreover, no memory was cleared out before returning from the function,
and there are two exit points.
Properly memset() all private data and use an empty assembly block
referencing the memory region to avoid the memset() calls to be elided
by the compiler.
Ideally, in the future, all stack-allocated variables that contains
sensitive information should be marked with __attribute__((cleanup)), a
GCC extension that calls a function when the variable exits the scope.
This will not only reduce code size, but for other functions with
multiple exit points, also ensure that sensitive data is always
cleared.
Signed-off-by: Leandro Pereira <leandro.pereira@intel.com>
This mbedtls configuration creates support for DTLS. The values
are not optimized for RAM usage, but can be used for various
networking sample applications.
Signed-off-by: Jukka Rissanen <jukka.rissanen@linux.intel.com>
Version 0.2.7 of this library has been released on June 30th, and this
patch updates the library from version 0.2.6. A summary of changes
is available at the official repository at:
https://github.com/01org/tinycrypt/releases/tag/v0.2.7
There were some API changes in this version, so some tests are not
building: ccm_mode, ecc_dh, and ecc_dsa. Fixes to these tests and
subsystems affected by the changes will be provided.
Signed-off-by: Leandro Pereira <leandro.pereira@intel.com>
Signed-off-by: Anas Nashif <anas.nashif@intel.com>
This changes increases content buffer length
MBEDTLS_SSL_MAX_CONTENT_LEN to 1500 bytes so that we can use
this config for echo-client and echo-server network sample
applications which need to send bigger data than 1024 bytes.
Removing MBEDTLS_PEM_PARSE_C as we do not have any cert in PEM
format.
Place various MBEDTLS debug options behind CONFIG_MBEDTLS_DEBUG
Kconfig option which was introduced in previous commit.
Signed-off-by: Jukka Rissanen <jukka.rissanen@linux.intel.com>
Add Kconfig option that can be used to enable various debug
options in mbedtls config file.
Signed-off-by: Jukka Rissanen <jukka.rissanen@linux.intel.com>
As the mbedtls heap is global for the whole device, enable it
during device startup if configured so. The heap size can be
set in config file. There is no default value for the heap as
that depends very much on application needs.
Signed-off-by: Jukka Rissanen <jukka.rissanen@linux.intel.com>
TinyCrypt 0.2.5 was released a few hours ago:
https://github.com/01org/tinycrypt/releases/tag/v0.2.5
This patch updates some TinyCrypt files, solving the following issues:
- Decryptions using ccm mode can incorrectly fail
- Minor style issues in code documentation
Change-Id: I606cde179888aad7a52fd277d73973f2347d8882
Signed-off-by: Flavio Santes <flavio.santes@intel.com>
This is a sample app using ECJPAKE crypto algorithm on DTLS, using
mbedTLS, and native IP stack
Jira: ZEP-900
Jira: ZEP-943
Change-Id: Ica17b047aab11b989d3e8c8f6ac1b79e3041053a
Signed-off-by: Sergio Rodriguez <sergio.sf.rodriguez@intel.com>
This commit fixes the issue reported by Coverity: an array compared
against NULL is always false.
Coverity-CID: 143715
Coverity-CID: 143730
Change-Id: Ie3c87f892c2b2a337981125e2a92c37c579d4b38
Signed-off-by: Flavio Santes <flavio.santes@intel.com>
This commit fixes the issue reported by Coverity: an array compared
against NULL is always false.
Coverity-CID: 143687
Coverity-CID: 143737
Coverity-CID: 143740
Change-Id: Id94a144c47b3377876695e86da8c0c33a989ec99
Signed-off-by: Flavio Santes <flavio.santes@intel.com>
This commit fixes a bug found in CTR PRNG reseed function to correctly
use the seed material.
See: https://github.com/01org/tinycrypt
Commit: 601f6a26ab4505ac82a2fb13ae4757c2b8d3eba8
Change-Id: I01216484bd1ee980b0e2da7fdc752a952f217ef0
Signed-off-by: Flavio Santes <flavio.santes@intel.com>
This is a client that uses shared keys to execute a TLS handshake and read
info from the server, information on how to run the test is in the README
file.
Jira: ZEP-327
Jira: ZEP-340
Jira: ZEP-495
Origin: https://tls.mbed.org/download/start/mbedtls-2.3.0-apache.tgz
Change-Id: I10f31f3635f346936807b7c8470b3d6ffb3af283
Signed-off-by: Sergio Rodriguez <sergio.sf.rodriguez@intel.com>
This contain the run of the self test for the ciphers, crypto
algorithms and utilities of mbedTLS.
Jira: ZEP-327
Jira: ZEP-340
Jira: ZEP-495
Origin: https://tls.mbed.org/download/start/mbedtls-2.3.0-apache.tgz
Change-Id: Ic1bb30b7ed691f17421510cd914ec5096e4e70ea
Signed-off-by: Sergio Rodriguez <sergio.sf.rodriguez@intel.com>
Signed-off-by: Kuo-Lang Tseng <kuo-lang.tseng@intel.com>
Modify tinycrypt/Kconfig and tinycrypt/Makefile to include new CTR_PRNG
algorithm.
Jira: ZEP-590
Change-Id: Ied0288126c326d229508c05df4a256dea29cf740
Signed-off-by: Flavio Santes <flavio.santes@intel.com>
Update Zephyr's tinycrypt to version 2.0. This new version adds support
for ECC_DH, ECC_DSA, CMAC, & CTR_PRNG.
The following doxygen documentation typos were detected and fixed:
- ctr_prng.h:84 change plen by pLen,
- ctr_prng.h:109 change entropylen by entropyLen,
- sha256.h:110 change Sha256 by s.
ecc_dh.h is also modified to fix the discrepancy of ecc_make_key
definition and declaration.
See https://gerrit.zephyrproject.org/r/#/c/1982/
TC_FAIL and TC_SUCCESS defines are renamed in this new version of
tinycrypt, so net/bluetooth/hci_core.c, net/bluetooth/hci_ecc.c and
net/bluetooth/smp.c are also updated to reflect those changes.
Origin: https://github.com/01org/tinycrypt/archive/v0.2.0.tar.gz
Jira: ZEP-590
Change-Id: I85f4f0ab61d9b0be6a60897e2b96f245dd8c51a8
Signed-off-by: Flavio Santes <flavio.santes@intel.com>
Anas Nashif