- Remove redundant 'n' defaults. 'n' is the default value for bool
symbols.
This makes the auto-generated documentation clearer as well: You get
"implicitly defaults to n" instead of
"- n if <propagated dependencies>".
- Shorten
<type>
prompt "foo"
to
<type> "foo"
This works for all types, not just bool.
- Various formatting nits.
Signed-off-by: Ulf Magnusson <Ulf.Magnusson@nordicsemi.no>
Default configuration of config-tls-generic.h mimics the current default
config file configuration - config-mini-tls1_2.h, thererfore it can be
safely used instead of it.
Signed-off-by: Robert Lubos <robert.lubos@nordicsemi.no>
This commits provides a config file for mbedtls that can be modifed by
Kconfig. In result features like supported ciphersuites can be easily
adjusted from Kconfig.
Signed-off-by: Robert Lubos <robert.lubos@nordicsemi.no>
Bool symbols implicitly default to 'n'.
A 'default n' could make sense e.g. in a Kconfig.defconfig file, if you
wanted to override a 'default y' on the base definition of the symbol,
but it doesn't seem to be used like that on any of these symbols.
Signed-off-by: Ulf Magnusson <Ulf.Magnusson@nordicsemi.no>
mbedTLS 2.9.0 removed several macros from the config-ccm-psk-tls1_2.h
configuration that we need defined to build mbedTLS in zephyr. This
fixes the CI build failure in samples/net/mbedtls_sslclient
Signed-off-by: Maureen Helm <maureen.helm@nxp.com>
Mbed TLS 2.9.0 introduces some minor functional improvements including
code size reductions with smaller AES tables, and initial support for
Curve448 along with some security fixes and bug fixes.
Signed-off-by: Maureen Helm <maureen.helm@nxp.com>
This updates mbedTLS to 2.8.0, which fixes CVEs 2018-0488 and
2048-0487, that affects 2.7.0.
Signed-off-by: Leandro Pereira <leandro.pereira@intel.com>
Instead of CONFIG_COAP_MBEDTLS_SSL_MAX_CONTENT_LEN, use recently
introduced CONFIG_MBEDTLS_SSL_MAX_CONTENT_LEN.
Signed-off-by: Paul Sokolovsky <paul.sokolovsky@linaro.org>
This value allows to set max payload length of a TLS protocol
message, and passed thru to mbedTLS as MBEDTLS_SSL_MAX_CONTENT_LEN
setting. The only safe value is 16384, which translates to 32KB
of RAM required just for mbedTLS input/output buffers. Any other
value can be configured *only* per a particular application
(e.g. knowing that it won't pass more than spefific amount of
data at once and/or won't connect to a server with a long cert
chain). Previosuly, we had quite an adhoc and inflexible config
with random values for that setting, based on protocol.
Note that while the safe value is 16384, "backward compatible"
default of 1500 is used (good for DTLS on the other hand).
Signed-off-by: Paul Sokolovsky <paul.sokolovsky@linaro.org>
mbedTLS log level is obviously a mbedTLS config setting. It makes
sense to have it defined in mbedTLS Kconfig, and different parts
of Zephyr to reuse as needed (e.g. net-app vs upcoming TLS wrapper
for sockets).
Signed-off-by: Paul Sokolovsky <paul.sokolovsky@linaro.org>
Fix Kconfig help sections and add spacing to be consistent across all
Kconfig file. In a previous run we missed a few.
Signed-off-by: Anas Nashif <anas.nashif@intel.com>
The previous default, "config-threadnet.h", is more or less arbitrary
choice made in a commit 312def2c78 1.5 years ago. In particular,
it's not related to Thread support in Zephyr per se (there was no
such support at that time).
It doesn't make sense to have a default intended for a particular,
not widely used (yet) protocol. Instead, the default should work
out of the box with a contemporary widely deployed arrays of TLS
servers, which are HTTPS server. config-mini-tls1_2.h works with
https://google.com, and by extension, with many other servers on
the Internet.
So, have that as the default, and let applications with special
needs to override that to what they need.
Addresses: #6132
Signed-off-by: Paul Sokolovsky <paul.sokolovsky@linaro.org>
This config enables TLS 1.2 (only), as its name suggests, and
contrary to the (copy-pasted) comments in the file header, so
update these comments.
Fixes: #6131
Signed-off-by: Paul Sokolovsky <paul.sokolovsky@linaro.org>
Due to a security advisory released on February 1st 2018[1], it's
advisable to update mbedTLS to 2.7.0.
The vulnerability, identified as CVE-2018-0488 and CVE-2018-0487, risk
remote code execution when truncated HMAC is enabled or when verifying
RSASSA-PSS signatures.
[1] https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2018-01Fixes: #6025
Signed-off-by: Kumar Gala <kumar.gala@linaro.org>
Kbuild supported CONFIG_MBEDTLS_LIBRARY and
CONFIG_MBEDTLS_INSTALL_PATH to allow users to link in an externally
built mbedtls. This was not ported over to CMake, causing build
failures when it was kconfig-enabled.
This patch implements this support. This support has been tested
as well as MBEDTLS_LIBRARY was tested in CI.
Signed-off-by: Sebastian Bøe <sebastian.boe@nordicsemi.no>
Signed-off-by: Ding Tao <miyatsu@qq.com>
CONFIG_MBEDTLS means you are using MBEDTLS
CONFIG_MBEDTLS_BUILTIN means you are using a built-in MDEDTLS
CONFIG_MBEDTLS_LIBRARY means you are using an external MBEDTLS
This patch ensures that you must select one or the other
implementation when MBEDTLS is enabled.
Tested by opening xconfig and observing that when MBEDTLS was enabled,
BUILTIN was automatically enabled, and a radio-button interface
existed to change the implementation.
Signed-off-by: Sebastian Bøe <sebastian.boe@nordicsemi.no>
Signed-off-by: Ding Tao <miyatsu@qq.com>
mbedTLS include directories will now default to be in the 'app'
include path when mbedTLS has been enabled.
Signed-off-by: Sebastian Bøe <sebastian.boe@nordicsemi.no>
The CoAP samples use an MBEDTLS config "config-coap.h" which could be
re-used by the LwM2M sample, except that most servers use a larger
maximum content length setting of 1500 bytes.
Let's add a CONFIG to set this for users of the CoAP lib and set the
CONFIG value for the samples to the 256 size currently used.
Signed-off-by: Michael Scott <michael@opensourcefoundries.com>
Introducing CMake is an important step in a larger effort to make
Zephyr easy to use for application developers working on different
platforms with different development environment needs.
Simplified, this change retains Kconfig as-is, and replaces all
Makefiles with CMakeLists.txt. The DSL-like Make language that KBuild
offers is replaced by a set of CMake extentions. These extentions have
either provided simple one-to-one translations of KBuild features or
introduced new concepts that replace KBuild concepts.
This is a breaking change for existing test infrastructure and build
scripts that are maintained out-of-tree. But for FW itself, no porting
should be necessary.
For users that just want to continue their work with minimal
disruption the following should suffice:
Install CMake 3.8.2+
Port any out-of-tree Makefiles to CMake.
Learn the absolute minimum about the new command line interface:
$ cd samples/hello_world
$ mkdir build && cd build
$ cmake -DBOARD=nrf52_pca10040 ..
$ cd build
$ make
PR: zephyrproject-rtos#4692
docs: http://docs.zephyrproject.org/getting_started/getting_started.html
Signed-off-by: Sebastian Boe <sebastian.boe@nordicsemi.no>
Mysterious TLS errors are printed if we try to work with too
small crypto buffer when https is enabled.
Signed-off-by: Jukka Rissanen <jukka.rissanen@linux.intel.com>
Set default MBEDTLS_HEAP_SIZE to 512 which fixes the driver Kconfig
dependency issues.
Signed-off-by: Ramakrishna Pallala <ramakrishna.pallala@intel.com>
When default "n" is selected (as it is by default) this sets:
CONFIG_MBEDTLS_DEBUG="n"
When checked by the existing logic (example shown below) will always
be true and debug will be enabled all the time:
//#if defined(CONFIG_MBEDTLS_DEBUG)
Instead, let's change the config type to "bool" which will be
undefined when set to "n" (by default). The existing #if defined()
checks will work correctly.
NOTE: This fix saves a lot of binary space when MBEDTLS is enabled
due to the amount debug output being compiled in.
Signed-off-by: Michael Scott <michael.scott@linaro.org>
Due to a security advisory released on August 28th 2017[1], it's
advisable to update mbedTLS to 2.6.0.
The vulnerability, identified as CVE-2017-14032, allows bypassing the
authentication of a peer when the authentication mode is configured as
optional (the default is secure, but applications might change the
setting.)
tests/crypto/mbedtls is passing.
[1] https://goo.gl/s4imN6
Signed-off-by: Leandro Pereira <leandro.pereira@intel.com>
This mbedtls configuration creates support for DTLS. The values
are not optimized for RAM usage, but can be used for various
networking sample applications.
Signed-off-by: Jukka Rissanen <jukka.rissanen@linux.intel.com>
This changes increases content buffer length
MBEDTLS_SSL_MAX_CONTENT_LEN to 1500 bytes so that we can use
this config for echo-client and echo-server network sample
applications which need to send bigger data than 1024 bytes.
Removing MBEDTLS_PEM_PARSE_C as we do not have any cert in PEM
format.
Place various MBEDTLS debug options behind CONFIG_MBEDTLS_DEBUG
Kconfig option which was introduced in previous commit.
Signed-off-by: Jukka Rissanen <jukka.rissanen@linux.intel.com>
Add Kconfig option that can be used to enable various debug
options in mbedtls config file.
Signed-off-by: Jukka Rissanen <jukka.rissanen@linux.intel.com>
As the mbedtls heap is global for the whole device, enable it
during device startup if configured so. The heap size can be
set in config file. There is no default value for the heap as
that depends very much on application needs.
Signed-off-by: Jukka Rissanen <jukka.rissanen@linux.intel.com>
This is a sample app using ECJPAKE crypto algorithm on DTLS, using
mbedTLS, and native IP stack
Jira: ZEP-900
Jira: ZEP-943
Change-Id: Ica17b047aab11b989d3e8c8f6ac1b79e3041053a
Signed-off-by: Sergio Rodriguez <sergio.sf.rodriguez@intel.com>
This is a client that uses shared keys to execute a TLS handshake and read
info from the server, information on how to run the test is in the README
file.
Jira: ZEP-327
Jira: ZEP-340
Jira: ZEP-495
Origin: https://tls.mbed.org/download/start/mbedtls-2.3.0-apache.tgz
Change-Id: I10f31f3635f346936807b7c8470b3d6ffb3af283
Signed-off-by: Sergio Rodriguez <sergio.sf.rodriguez@intel.com>
This contain the run of the self test for the ciphers, crypto
algorithms and utilities of mbedTLS.
Jira: ZEP-327
Jira: ZEP-340
Jira: ZEP-495
Origin: https://tls.mbed.org/download/start/mbedtls-2.3.0-apache.tgz
Change-Id: Ic1bb30b7ed691f17421510cd914ec5096e4e70ea
Signed-off-by: Sergio Rodriguez <sergio.sf.rodriguez@intel.com>
Signed-off-by: Kuo-Lang Tseng <kuo-lang.tseng@intel.com>
Integrating the mbedTLS to the the build proccess with the minimal
Thread configuration.
Change-Id: I0ae191434d26890537a29a247c409228180410f3
Jira: ZEP-327
Jira: ZEP-340
Signed-off-by: Sergio Rodriguez <sergio.sf.rodriguez@intel.com>
Adding the mbedTLS configuration neede for Thread Network Protocol
support, this shows the modifications needed to be able to compile
on Zephyr
Jira: ZEP-327
Jira: ZEP-340
Change-Id: I80a8f44bc302905b7aa4568a40a6ca66dcaf42f8
Signed-off-by: Sergio Rodriguez <sergio.sf.rodriguez@intel.com>
Porting the mbedTLS library with the minimal Thread supported
configuration, this is a TLS/SSL library highly customizable.
This show the modifications needed to be able to compile on
Zephyr build enviroment which does not have a time.h header file,
so we avoid compilation errors.
Jira: ZEP-327
Jira: ZEP-340
Change-Id: I197ea96d33748c986c71fe5a0608225aee69c8b3
Signed-off-by: Sergio Rodriguez <sergio.sf.rodriguez@intel.com>
Adding the pristine version of mbed TLS to the zephyr source tree
as the initial step of porting the mbed TLS library to Zephyr
Jira: ZEP-327
Jira: ZEP-340
Origin: https://tls.mbed.org/download/start/mbedtls-2.3.0-apache.tgz
Change-Id: Iae814560310ebd00af52c7b1fb9d03195388fa0c
Signed-off-by: Sergio Rodriguez <sergio.sf.rodriguez@intel.com>
Signed-off-by: Kuo-Lang Tseng <kuo-lang.tseng@intel.com>
Ulf Magnusson