From 4d8edd544cb9e37d5e6e92511641b1264ec7d00e Mon Sep 17 00:00:00 2001 From: Irit Arkin Date: Mon, 24 Aug 2015 13:50:25 +0100 Subject: [PATCH 01/15] Edited Not a major edit --- yotta/data/README.md | 28 +++++++++++++++------------- 1 file changed, 15 insertions(+), 13 deletions(-) diff --git a/yotta/data/README.md b/yotta/data/README.md index 20503c331..cabd78b67 100644 --- a/yotta/data/README.md +++ b/yotta/data/README.md @@ -2,29 +2,31 @@ mbed TLS (formerly known as PolarSSL) makes it trivially easy for developers to include cryptographic and SSL/TLS capabilities in their embedded products, with a minimal code footprint. It offers an SSL library with an intuitive API and readable source code. -The Beta release of mbed TLS integrates the mbed TLS library into mbed OS, mbed SDK and yotta. This is a preview release intended for evaluation only and is **not recommended for deployment**. This implementation currently implements no secure source of random numbers, weakening it's security. +The Beta release of mbed TLS integrates the mbed TLS library into mbed OS, mbed SDK and yotta. This is a preview release intended for evaluation only and is **not recommended for deployment**. It currently implements no secure source of random numbers, weakening its security. ## Sample programs This release includes the following examples: -1. [**TLS client:**](https://github.com/ARMmbed/mbedtls/blob/development/yotta/data/example-tls-client) found in `test/example-tls-client`, downloads a test file from an HTTPS server and looks for a specific string in that file. +1. [**TLS client:**](https://github.com/ARMmbed/mbedtls/blob/development/yotta/data/example-tls-client) found in `test/example-tls-client`. Downloads a test file from an HTTPS server and looks for a specific string in that file. -2. [**Self test:**](https://github.com/ARMmbed/mbedtls/blob/development/yotta/data/example-selftest) found in `test/example-selftest`, tests different basic functions in the mbed TLS library. +2. [**Self test:**](https://github.com/ARMmbed/mbedtls/blob/development/yotta/data/example-selftest) found in `test/example-selftest`. Tests different basic functions in the mbed TLS library. -3. [**Benchmark:**](https://github.com/ARMmbed/mbedtls/blob/development/yotta/data/example-benchmark) found in `test/example-benchmark`, measures the time taken to perform basic cryptographic functions used in the library. +3. [**Benchmark:**](https://github.com/ARMmbed/mbedtls/blob/development/yotta/data/example-benchmark) found in `test/example-benchmark`. Measures the time taken to perform basic cryptographic functions used in the library. -These examples are integrated as yotta tests so that they are built automatically when you build mbed TLS. You'll find other examples in the various `test/example-*` directories alongside these examples. +These examples are integrated as yotta tests, so that they are built automatically when you build mbed TLS. You'll find more examples in the various `test/example-*` directories. -## Running TLS +## Running mbed TLS -Please follow the instructions in the [TLS client sample](https://github.com/ARMmbed/mbedtls/blob/development/yotta/data/example-tls-client) directory, to build and run the example. These include a list of prerequisites and an explanation of building mbed TLS with yotta. +To build and run the example, please follow the instructions in the [TLS client example](https://github.com/ARMmbed/mbedtls/blob/development/yotta/data/example-tls-client) directory. These include a list of prerequisites and an explanation of building mbed TLS with yotta. ## Configuring mbed TLS features -mbed TLS makes it easy to disable any feature during compilation that isn't required for a particular project. The default configuration enables all modern and widely-used features which should meet the needs of new projects and disables all features that are older or less common, to minimise the code footprint. The list of available compilation flags is available in the fully documented [config.h file](https://github.com/ARMmbed/mbedtls/blob/development/include/mbedtls/config.h), present in the `mbedtls` directory of the yotta module. +mbed TLS makes it easy to disable any feature during compilation that isn't required for a particular project. The default configuration enables all modern and widely-used features, which should meet the needs of new projects, and disables all features that are older or less common, to minimize the code footprint. -Should you need to adjust those flags, you can provide your own configuration file with suitable `#define` and `#undef` statements, to be included between the default definitions and the sanity checks. This file should be in your application's include directory and can be named freely; you just need to let mbed TLS know the name of the file, by using yotta's [configuration system](http://docs.yottabuild.org/reference/config.html). This name should go in your `config.json`, under mbedtls, as the key `user-config-file`, for example: +The list of available compilation flags is presented in the fully documented [config.h file](https://github.com/ARMmbed/mbedtls/blob/development/include/mbedtls/config.h), present in the `mbedtls` directory of the yotta module. + +If you need to adjust those flags, you can provide your own configuration file with suitable `#define` and `#undef` statements. These will be included between the default definitions and the sanity checks. Your configuration file should be in your application's `include` directory, and can be named freely; you just need to let mbed TLS know the file's name. To do that, use yotta's [configuration system](http://docs.yottabuild.org/reference/config.html). The file's name should be in your `config.json` file, under mbedtls, as the key `user-config-file`. For example: { "mbedtls": { @@ -32,21 +34,21 @@ Should you need to adjust those flags, you can provide your own configuration fi } } -Please note you need to provide the exact name that will be used in the `#include` directive, including the `<>` or quotes around the name. +Please note: you need to provide the exact name that will be used in the `#include` directive, including the `<>` or quotes around the name. ## Contributing -We gratefully accept bugs and contributions from the community. There are some requirements we need to fulfil in order to be able to integrate contributions: +We gratefully accept bug reports and contributions from the community. There are some requirements we need to fullfil in order to be able to integrate contributions: * Simple bug fixes to existing code do not contain copyright themselves and we can integrate without issue. The same is true of trivial contributions. -* For larger contributions, such as a new feature, the code can possibly fall under copyright law. We then need your consent to share in the ownership of the copyright. We have a form for this, which we will mail to you in case you submit a contribution or pull request that we deem this necessary for. +* For larger contributions, such as a new feature, the code can possibly fall under copyright law. We then need your consent to share in the ownership of the copyright. We have a form for this, which we will send to you in case you submit a contribution or pull request that we deem this necessary for. To contribute, please: * [Check for open issues](https://github.com/ARMmbed/mbedtls/issues) or [start a discussion](https://tls.mbed.org/discussions) around a feature idea or a bug. -* Fork the [mbed TLS repository on Github](https://github.com/ARMmbed/mbedtls) to start making your changes. As a general rule, you should use the "development" branch as a basis. +* Fork the [mbed TLS repository on GitHub](https://github.com/ARMmbed/mbedtls) to start making your changes. As a general rule, you should use the "development" branch as a basis. * Write a test that shows that the bug was fixed or that the feature works as expected. From 9acf88bdff57b89e105ba0a609cc33d8692b8b15 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Fri, 21 Aug 2015 17:06:22 +0200 Subject: [PATCH 02/15] Ship license files with the yotta module --- yotta/create-module.sh | 3 +++ 1 file changed, 3 insertions(+) diff --git a/yotta/create-module.sh b/yotta/create-module.sh index 1386c0741..4c79ebe51 100755 --- a/yotta/create-module.sh +++ b/yotta/create-module.sh @@ -37,6 +37,9 @@ cp -r data/example-* $TMP/test cp data/module.json $TMP cp data/README.md $TMP +cp ../LICENSE $TMP +if [ -f ../apache-2.0.txt ]; then cp ../apache-2.0.txt $TMP; fi + mkdir -p $DEST rsync -cr --delete --exclude build --exclude yotta_\* $TMP/ $DEST/ rm -rf $TMP From 3dce9ec3af70eed92e5005917dab6ba6f68e0b6d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Thu, 27 Aug 2015 10:07:09 +0200 Subject: [PATCH 03/15] Sync yotta and general readme again --- README.rst | 6 +++--- yotta/data/README.md | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/README.rst b/README.rst index bc0204b3f..8f5cac774 100644 --- a/README.rst +++ b/README.rst @@ -170,18 +170,18 @@ We provide some non-standard configurations focused on specific use cases in the Contributing ============ -We gratefully accept bugs and contributions from the community. There are some requirements we need to fulfil in order to be able to integrate contributions: +We gratefully accept bug reports and contributions from the community. There are some requirements we need to fulfill in order to be able to integrate contributions: - Simple bug fixes to existing code do not contain copyright themselves and we can integrate without issue. The same is true of trivial contributions. -- For larger contributions, such as a new feature, the code can possibly fall under copyright law. We then need your consent to share in the ownership of the copyright. We have a form for this, which we will mail to you in case you submit a contribution or pull request that we deem this necessary for. +- For larger contributions, such as a new feature, the code can possibly fall under copyright law. We then need your consent to share in the ownership of the copyright. We have a form for this, which we will send to you in case you submit a contribution or pull request that we deem this necessary for. Process ------- #. `Check for open issues `_ or `start a discussion `_ around a feature idea or a bug. -#. Fork the `mbed TLS repository on Github `_ +#. Fork the `mbed TLS repository on GitHub `_ to start making your changes. As a general rule, you should use the "development" branch as a basis. #. Write a test which shows that the bug was fixed or that the feature works diff --git a/yotta/data/README.md b/yotta/data/README.md index cabd78b67..e6a89e850 100644 --- a/yotta/data/README.md +++ b/yotta/data/README.md @@ -38,7 +38,7 @@ Please note: you need to provide the exact name that will be used in the `#inclu ## Contributing -We gratefully accept bug reports and contributions from the community. There are some requirements we need to fullfil in order to be able to integrate contributions: +We gratefully accept bug reports and contributions from the community. There are some requirements we need to fulfill in order to be able to integrate contributions: * Simple bug fixes to existing code do not contain copyright themselves and we can integrate without issue. The same is true of trivial contributions. From 1385a289f414d580eb60b0beb6f7528ee39bdbf3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Thu, 27 Aug 2015 11:30:58 +0200 Subject: [PATCH 04/15] Fix possible mutex lock/unlock mismatch fixes #257 --- ChangeLog | 3 +++ library/rsa.c | 65 +++++++++++++-------------------------------------- 2 files changed, 19 insertions(+), 49 deletions(-) diff --git a/ChangeLog b/ChangeLog index f74ba3444..e318bcb65 100644 --- a/ChangeLog +++ b/ChangeLog @@ -26,6 +26,9 @@ Bugfix * Fix error when loading libmbedtls.so. * Fix bug in mbedtls_ssl_conf_default() that caused the default preset to be always used (found by dcb314) (#235) + * Fix bug in mbedtls_rsa_public() and mbedtls_rsa_private() that could + result trying to unlock an unlocked mutex on invalid input (found by + Fredrik Axelsson) (#257) Changes * The PEM parser now accepts a trailing space at end of lines (#226). diff --git a/library/rsa.c b/library/rsa.c index a8f0df95b..20c0ddc48 100644 --- a/library/rsa.c +++ b/library/rsa.c @@ -274,6 +274,11 @@ int mbedtls_rsa_public( mbedtls_rsa_context *ctx, mbedtls_mpi_init( &T ); +#if defined(MBEDTLS_THREADING_C) + if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 ) + return( ret ); +#endif + MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &T, input, ctx->len ) ); if( mbedtls_mpi_cmp_mpi( &T, &ctx->N ) >= 0 ) @@ -282,11 +287,6 @@ int mbedtls_rsa_public( mbedtls_rsa_context *ctx, return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); } -#if defined(MBEDTLS_THREADING_C) - if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 ) - return( ret ); -#endif - olen = ctx->len; MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &T, &T, &ctx->E, &ctx->N, &ctx->RN ) ); MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &T, output, olen ) ); @@ -311,16 +311,11 @@ cleanup: * DSS, and other systems. In : Advances in Cryptology-CRYPTO'96. Springer * Berlin Heidelberg, 1996. p. 104-113. */ -static int rsa_prepare_blinding( mbedtls_rsa_context *ctx, mbedtls_mpi *Vi, mbedtls_mpi *Vf, +static int rsa_prepare_blinding( mbedtls_rsa_context *ctx, int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ) { int ret, count = 0; -#if defined(MBEDTLS_THREADING_C) - if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 ) - return( ret ); -#endif - if( ctx->Vf.p != NULL ) { /* We already have blinding values, just update them by squaring */ @@ -329,7 +324,7 @@ static int rsa_prepare_blinding( mbedtls_rsa_context *ctx, mbedtls_mpi *Vi, mbed MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->Vf, &ctx->Vf, &ctx->Vf ) ); MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->Vf, &ctx->Vf, &ctx->N ) ); - goto done; + goto cleanup; } /* Unblinding value: Vf = random number, invertible mod N */ @@ -345,19 +340,8 @@ static int rsa_prepare_blinding( mbedtls_rsa_context *ctx, mbedtls_mpi *Vi, mbed MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &ctx->Vi, &ctx->Vf, &ctx->N ) ); MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &ctx->Vi, &ctx->Vi, &ctx->E, &ctx->N, &ctx->RN ) ); -done: - if( Vi != &ctx->Vi ) - { - MBEDTLS_MPI_CHK( mbedtls_mpi_copy( Vi, &ctx->Vi ) ); - MBEDTLS_MPI_CHK( mbedtls_mpi_copy( Vf, &ctx->Vf ) ); - } cleanup: -#if defined(MBEDTLS_THREADING_C) - if( ( ret = mbedtls_mutex_unlock( &ctx->mutex ) ) != 0 ) - return( ret ); -#endif - return( ret ); } @@ -373,26 +357,14 @@ int mbedtls_rsa_private( mbedtls_rsa_context *ctx, int ret; size_t olen; mbedtls_mpi T, T1, T2; - mbedtls_mpi *Vi, *Vf; - - /* - * When using the Chinese Remainder Theorem, we use blinding values. - * Without threading, we just read them directly from the context, - * otherwise we make a local copy in order to reduce locking contention. - */ -#if defined(MBEDTLS_THREADING_C) - mbedtls_mpi Vi_copy, Vf_copy; - - mbedtls_mpi_init( &Vi_copy ); mbedtls_mpi_init( &Vf_copy ); - Vi = &Vi_copy; - Vf = &Vf_copy; -#else - Vi = &ctx->Vi; - Vf = &ctx->Vf; -#endif mbedtls_mpi_init( &T ); mbedtls_mpi_init( &T1 ); mbedtls_mpi_init( &T2 ); +#if defined(MBEDTLS_THREADING_C) + if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 ) + return( ret ); +#endif + MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &T, input, ctx->len ) ); if( mbedtls_mpi_cmp_mpi( &T, &ctx->N ) >= 0 ) { @@ -406,16 +378,11 @@ int mbedtls_rsa_private( mbedtls_rsa_context *ctx, * Blinding * T = T * Vi mod N */ - MBEDTLS_MPI_CHK( rsa_prepare_blinding( ctx, Vi, Vf, f_rng, p_rng ) ); - MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T, &T, Vi ) ); + MBEDTLS_MPI_CHK( rsa_prepare_blinding( ctx, f_rng, p_rng ) ); + MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T, &T, &ctx->Vi ) ); MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &T, &T, &ctx->N ) ); } -#if defined(MBEDTLS_THREADING_C) - if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 ) - return( ret ); -#endif - #if defined(MBEDTLS_RSA_NO_CRT) MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &T, &T, &ctx->D, &ctx->N, &ctx->RN ) ); #else @@ -448,7 +415,7 @@ int mbedtls_rsa_private( mbedtls_rsa_context *ctx, * Unblind * T = T * Vf mod N */ - MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T, &T, Vf ) ); + MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T, &T, &ctx->Vf ) ); MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &T, &T, &ctx->N ) ); } @@ -459,8 +426,8 @@ cleanup: #if defined(MBEDTLS_THREADING_C) if( ( ret = mbedtls_mutex_unlock( &ctx->mutex ) ) != 0 ) return( ret ); - mbedtls_mpi_free( &Vi_copy ); mbedtls_mpi_free( &Vf_copy ); #endif + mbedtls_mpi_free( &T ); mbedtls_mpi_free( &T1 ); mbedtls_mpi_free( &T2 ); if( ret != 0 ) From cd8c0fbf60ff2548749e48e6f95a90029d45b7a5 Mon Sep 17 00:00:00 2001 From: Irit Arkin Date: Thu, 27 Aug 2015 15:44:11 +0100 Subject: [PATCH 05/15] Very small edit --- yotta/data/example-benchmark/README.md | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/yotta/data/example-benchmark/README.md b/yotta/data/example-benchmark/README.md index 01d9e2c63..1a534a2f3 100644 --- a/yotta/data/example-benchmark/README.md +++ b/yotta/data/example-benchmark/README.md @@ -4,14 +4,14 @@ This application benchmarks the various cryptographic primitives offered by mbed ## Pre-requisites -To build and run this example the following requirements are necessary: +To build and run this example you must have: * A computer with the following software installed: * [CMake](http://www.cmake.org/download/). * [yotta](https://github.com/ARMmbed/yotta). Please note that **yotta has its own set of dependencies**, listed in the [installation instructions](http://armmbed.github.io/yotta/#installing-on-windows). * [Python](https://www.python.org/downloads/). - * [ARM GCC toolchain](https://launchpad.net/gcc-arm-embedded). - * A serial terminal emulator (e.g. screen, pySerial, cu). + * [The ARM GCC toolchain](https://launchpad.net/gcc-arm-embedded). + * A serial terminal emulator (Like screen, pySerial and cu). * An [FRDM-K64F](http://developer.mbed.org/platforms/FRDM-K64F/) development board, or another board supported by mbed OS (in which case you'll have to substitute frdm-k64f-gcc with the appropriate target in the instructions below). * A micro-USB cable. * If your OS is Windows, please follow the installation instructions [for the serial port driver](https://developer.mbed.org/handbook/Windows-serial-configuration). @@ -36,9 +36,15 @@ To build and run this example the following requirements are necessary: 5. Copy `build/frdm-k64f-gcc/test/mbedtls-test-example-benchmark.bin` to your mbed board and wait until the LED next to the USB port stops blinking. -6. Start the serial terminal emulator and connect to the virtual serial port presented by FRDM-K64F. For settings, use 115200 baud, 8N1, no flow control. **Warning:** for this example, the baud rate is not the default 9600, it is 115200. +6. Start the serial terminal emulator and connect to the virtual serial port presented by FRDM-K64F. -7. Press the reset button on the board. + Use the following settings: + + * 115200 baud (not 9600). + * 8N1. + * No flow control. + +7. Press the Reset button on the board. 8. The output in the terminal window should look like: From c4d9d32b629a912e747bf5c8823ea5dd64984eef Mon Sep 17 00:00:00 2001 From: Irit Arkin Date: Thu, 27 Aug 2015 15:47:00 +0100 Subject: [PATCH 06/15] Small edit --- yotta/data/example-authcrypt/README.md | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/yotta/data/example-authcrypt/README.md b/yotta/data/example-authcrypt/README.md index 0a7354c54..ae4b1efa9 100644 --- a/yotta/data/example-authcrypt/README.md +++ b/yotta/data/example-authcrypt/README.md @@ -4,14 +4,14 @@ This application performs authenticated encryption and authenticated decryption ## Pre-requisites -To build and run this example the following requirements are necessary: +To build and run this example you must have: * A computer with the following software installed: * [CMake](http://www.cmake.org/download/). * [yotta](https://github.com/ARMmbed/yotta). Please note that **yotta has its own set of dependencies**, listed in the [installation instructions](http://armmbed.github.io/yotta/#installing-on-windows). * [Python](https://www.python.org/downloads/). - * [ARM GCC toolchain](https://launchpad.net/gcc-arm-embedded). - * A serial terminal emulator (e.g. screen, pySerial, cu). + * [The ARM GCC toolchain](https://launchpad.net/gcc-arm-embedded). + * A serial terminal emulator (Like screen, pySerial and cu). * An [FRDM-K64F](http://developer.mbed.org/platforms/FRDM-K64F/) development board, or another board supported by mbed OS (in which case you'll have to substitute frdm-k64f-gcc with the appropriate target in the instructions below). * A micro-USB cable. * If your OS is Windows, please follow the installation instructions [for the serial port driver](https://developer.mbed.org/handbook/Windows-serial-configuration). @@ -36,9 +36,15 @@ To build and run this example the following requirements are necessary: 5. Copy `build/frdm-k64f-gcc/test/mbedtls-test-example-authcrypt.bin` to your mbed board and wait until the LED next to the USB port stops blinking. -6. Start the serial terminal emulator and connect to the virtual serial port presented by FRDM-K64F. For settings, use 115200 baud, 8N1, no flow control. **Warning:** for this example, the baud rate is not the default 9600, it is 115200. +6. Start the serial terminal emulator and connect to the virtual serial port presented by FRDM-K64F. -7. Press the reset button on the board. + Use the following settings: + + * 115200 baud (not 9600). + * 8N1. + * No flow control. + +7. Press the Reset button on the board. 8. The output in the terminal window should look like: @@ -59,4 +65,4 @@ To build and run this example the following requirements are necessary: {{end}} ``` -The actual output for the ciphertext line will vary on each run due to the use of a random nonce in the encryption process. +The actual output for the ciphertext line will vary on each run because of the use of a random nonce in the encryption process. From fb404105476d82b7550d6ec69c385dc50410b74a Mon Sep 17 00:00:00 2001 From: Irit Arkin Date: Thu, 27 Aug 2015 15:56:44 +0100 Subject: [PATCH 07/15] Small edit --- yotta/data/example-hashing/README.md | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/yotta/data/example-hashing/README.md b/yotta/data/example-hashing/README.md index ad253cb76..553c3a618 100644 --- a/yotta/data/example-hashing/README.md +++ b/yotta/data/example-hashing/README.md @@ -4,14 +4,14 @@ This application performs hashing of a buffer with SHA-256 using various APIs. I ## Pre-requisites -To build and run this example the following requirements are necessary: +To build and run this example you must have: * A computer with the following software installed: * [CMake](http://www.cmake.org/download/). * [yotta](https://github.com/ARMmbed/yotta). Please note that **yotta has its own set of dependencies**, listed in the [installation instructions](http://armmbed.github.io/yotta/#installing-on-windows). * [Python](https://www.python.org/downloads/). - * [ARM GCC toolchain](https://launchpad.net/gcc-arm-embedded). - * A serial terminal emulator (e.g. screen, pySerial, cu). + * [The ARM GCC toolchain](https://launchpad.net/gcc-arm-embedded). + * A serial terminal emulator (Like screen, pySerial and cu). * An [FRDM-K64F](http://developer.mbed.org/platforms/FRDM-K64F/) development board, or another board supported by mbed OS (in which case you'll have to substitute frdm-k64f-gcc with the appropriate target in the instructions below). * A micro-USB cable. * If your OS is Windows, please follow the installation instructions [for the serial port driver](https://developer.mbed.org/handbook/Windows-serial-configuration). @@ -36,9 +36,15 @@ To build and run this example the following requirements are necessary: 5. Copy `build/frdm-k64f-gcc/test/mbedtls-test-example-hashing.bin` to your mbed board and wait until the LED next to the USB port stops blinking. -6. Start the serial terminal emulator and connect to the virtual serial port presented by FRDM-K64F. For settings, use 115200 baud, 8N1, no flow control. **Warning:** for this example, the baud rate is not the default 9600, it is 115200. +6. Start the serial terminal emulator and connect to the virtual serial port presented by FRDM-K64F. -7. Press the reset button on the board. + Use the following settings: + + * 115200 baud (not 9600). + * 8N1. + * No flow control. + +7. Press the Reset button on the board. 8. The output in the terminal window should look like: From 36936bff6eba06abe3a84b7ce2d597db22e65642 Mon Sep 17 00:00:00 2001 From: Irit Arkin Date: Thu, 27 Aug 2015 15:57:54 +0100 Subject: [PATCH 08/15] Small edit --- yotta/data/example-selftest/README.md | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/yotta/data/example-selftest/README.md b/yotta/data/example-selftest/README.md index 0312d8c24..5bc22a685 100644 --- a/yotta/data/example-selftest/README.md +++ b/yotta/data/example-selftest/README.md @@ -1,17 +1,17 @@ # mbed TLS Selftest Example -This application runs the various selftest function of individual mbed TLS components. It serves as a basic sanity check to verify operation of mbed TLS on your platform. In the future, a wider portion of the mbed TLS test suite will become part of this example application. +This application runs the various selftest functions of individual mbed TLS components. It serves as a basic sanity check to verify operation of mbed TLS on your platform. In the future, a wider portion of the mbed TLS test suite will become part of this example application. ## Pre-requisites -To build and run this example the following requirements are necessary: +To build and run this example you must have: * A computer with the following software installed: * [CMake](http://www.cmake.org/download/). * [yotta](https://github.com/ARMmbed/yotta). Please note that **yotta has its own set of dependencies**, listed in the [installation instructions](http://armmbed.github.io/yotta/#installing-on-windows). * [Python](https://www.python.org/downloads/). - * [ARM GCC toolchain](https://launchpad.net/gcc-arm-embedded). - * A serial terminal emulator (e.g. screen, pySerial, cu). + * [The ARM GCC toolchain](https://launchpad.net/gcc-arm-embedded). + * A serial terminal emulator (Like screen, pySerial and cu). * An [FRDM-K64F](http://developer.mbed.org/platforms/FRDM-K64F/) development board, or another board supported by mbed OS (in which case you'll have to substitute frdm-k64f-gcc with the appropriate target in the instructions below). * A micro-USB cable. * If your OS is Windows, please follow the installation instructions [for the serial port driver](https://developer.mbed.org/handbook/Windows-serial-configuration). @@ -36,9 +36,15 @@ To build and run this example the following requirements are necessary: 5. Copy `build/frdm-k64f-gcc/test/mbedtls-test-example-selftest.bin` to your mbed board and wait until the LED next to the USB port stops blinking. -6. Start the serial terminal emulator and connect to the virtual serial port presented by FRDM-K64F. For settings, use 115200 baud, 8N1, no flow control. **Warning:** for this example, the baud rate is not the default 9600, it is 115200. +6. Start the serial terminal emulator and connect to the virtual serial port presented by FRDM-K64F. -7. Press the reset button on the board. + Use the following settings: + + * 115200 baud (not 9600). + * 8N1. + * No flow control. + +7. Press the Reset button on the board. 8. The output in the terminal window should look like: From 9cdd0d55f2e1acc9d84dd36409f87a7a633a32f3 Mon Sep 17 00:00:00 2001 From: Irit Arkin Date: Fri, 28 Aug 2015 09:27:57 +0100 Subject: [PATCH 09/15] Small edit --- yotta/data/example-tls-client/README.md | 36 +++++++++++++++---------- 1 file changed, 22 insertions(+), 14 deletions(-) diff --git a/yotta/data/example-tls-client/README.md b/yotta/data/example-tls-client/README.md index f245ea173..c181933a1 100644 --- a/yotta/data/example-tls-client/README.md +++ b/yotta/data/example-tls-client/README.md @@ -1,4 +1,4 @@ -# HTTPS File Download Example/ TLS Client +# HTTPS File Download Example for TLS Client This application downloads a file from an HTTPS server (developer.mbed.org) and looks for a specific string in that file. @@ -6,25 +6,25 @@ This example is implemented as a logic class (HelloHTTPS) wrapping a TCP socket ## Pre-requisites -To build and run this example the following requirements are necessary: +To build and run this example you must have: * A computer with the following software installed: * [CMake](http://www.cmake.org/download/). * [yotta](https://github.com/ARMmbed/yotta). Please note that **yotta has its own set of dependencies**, listed in the [installation instructions](http://armmbed.github.io/yotta/#installing-on-windows). * [Python](https://www.python.org/downloads/). - * [ARM GCC toolchain](https://launchpad.net/gcc-arm-embedded). - * A serial terminal emulator (e.g. screen, pySerial, cu). -* An [FRDM-K64F](http://developer.mbed.org/platforms/FRDM-K64F/) development board, or another board that has an ethernet port and is supported by mbed OS (in which case you'll have to substitute frdm-k64f-gcc with the appropriate target in the instructions below). -* An ethernet connection to the internet. -* An ethernet cable. + * [The ARM GCC toolchain](https://launchpad.net/gcc-arm-embedded). + * A serial terminal emulator (Like screen, pySerial and cu). +* An [FRDM-K64F](http://developer.mbed.org/platforms/FRDM-K64F/) development board, or another board supported by mbed OS (in which case you'll have to substitute frdm-k64f-gcc with the appropriate target in the instructions below). * A micro-USB cable. +* An Ethernet connection to the internet. +* An Ethernet cable. * If your OS is Windows, please follow the installation instructions [for the serial port driver](https://developer.mbed.org/handbook/Windows-serial-configuration). ## Getting started -1. Connect the FRDM-K64F to the internet using the ethernet cable. +1. Connect the FRDM-K64F to the internet using the Ethernet cable. -2. Connect the FRDM-K64F to the computer with the micro-USB cable, being careful to use the "OpenSDA" connector on the target board. +2. Connect the FRDM-K64F to the computer with the micro-USB cable, being careful to use the "OpenSDA" connector on the target board. 3. Navigate to the mbedtls directory supplied with your release and open a terminal. @@ -42,9 +42,15 @@ To build and run this example the following requirements are necessary: 6. Copy `build/frdm-k64f-gcc/test/mbedtls-test-example-tls-client.bin` to your mbed board and wait until the LED next to the USB port stops blinking. -7. Start the serial terminal emulator and connect to the virtual serial port presented by FRDM-K64F. For settings, use 115200 baud, 8N1, no flow control. **Warning:** for this example, the baud rate is not the default 9600, it is 115200. +7. Start the serial terminal emulator and connect to the virtual serial port presented by FRDM-K64F. -8. Press the reset button on the board. + Use the following settings: + + * 115200 baud (not 9600). + * 8N1. + * No flow control. + +8. Press the Reset button on the board. 9. The output in the terminal window should look similar to this: @@ -105,9 +111,9 @@ To build and run this example the following requirements are necessary: ## Debugging the TLS connection -If you are experiencing problems with this example, you should first rule out network issues by making sure the [simple HTTP file downloader example](https://github.com/ARMmbed/mbed-example-network-private/tree/maste r/test/helloworld-tcpclient) for the TCP module works as expected. If not, please follow the debug instructions for this example. +If you are experiencing problems with this example, you should first rule out network issues by making sure the [simple HTTP file downloader example](https://github.com/ARMmbed/mbed-example-network-private/tree/master/test/helloworld-tcpclient) for the TCP module works as expected. If not, please follow the debug instructions below. -To print out more debug information about the TLS connection, edit the file `source/main.cpp` and change the definition of `DEBUG_LEVEL` near the top of the file from 0 to a positive number: +To print out more debug information about the TLS connection, edit the file `source/main.cpp` and change the definition of `DEBUG_LEVEL` (near the top of the file) from 0 to a positive number: * Level 1 only prints non-zero return codes from SSL functions and information about the full certificate chain being verified. @@ -125,4 +131,6 @@ If the TLS connection is failing with an error similar to: Failed to fetch /media/uploads/mbed_official/hello.txt from developer.mbed.org:443 ``` -it probably means you need to update the contents of the `SSL_CA_PEM` constant (this can happen if you modify `HTTPS_SERVER_NAME`, or when `developer.mbed.org` switches to a new CA when updating its certificate). Another reason for this error may be a proxy providing a different certificate. Proxys can be used in some network configurations or for performing man-in-the-middle attacks. If you choose to ignore this error and proceed with the connection anyway, you can change the definition of `UNSAFE` near the top of the file from 0 to 1. **Warning:** this removes all security against a possible attacker, therefore use at your own risk, or for debugging only! +it probably means you need to update the contents of the `SSL_CA_PEM` constant (this can happen if you modify `HTTPS_SERVER_NAME`, or when `developer.mbed.org` switches to a new CA when updating its certificate). + +Another reason for this error may be a proxy providing a different certificate. Proxies can be used in some network configurations or for performing man-in-the-middle attacks. If you choose to ignore this error and proceed with the connection anyway, you can change the definition of `UNSAFE` near the top of the file from 0 to 1. **Warning:** this removes all security against a possible attacker, therefore use at your own risk, or for debugging only! From 6a6619b24bebfd4f9d8573a0383b390d83aef1bc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Mon, 31 Aug 2015 09:29:08 +0200 Subject: [PATCH 10/15] Fix last edit --- yotta/data/example-tls-client/README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/yotta/data/example-tls-client/README.md b/yotta/data/example-tls-client/README.md index c181933a1..39452a58f 100644 --- a/yotta/data/example-tls-client/README.md +++ b/yotta/data/example-tls-client/README.md @@ -111,7 +111,7 @@ To build and run this example you must have: ## Debugging the TLS connection -If you are experiencing problems with this example, you should first rule out network issues by making sure the [simple HTTP file downloader example](https://github.com/ARMmbed/mbed-example-network-private/tree/master/test/helloworld-tcpclient) for the TCP module works as expected. If not, please follow the debug instructions below. +If you are experiencing problems with this example, you should first rule out network issues by making sure the [simple HTTP file downloader example](https://github.com/ARMmbed/mbed-example-network-private/tree/master/test/helloworld-tcpclient) for the TCP module works as expected. If not, please follow the debug instructions for the HTTP file example before proceeding with the instructions below. To print out more debug information about the TLS connection, edit the file `source/main.cpp` and change the definition of `DEBUG_LEVEL` (near the top of the file) from 0 to a positive number: @@ -133,4 +133,4 @@ If the TLS connection is failing with an error similar to: it probably means you need to update the contents of the `SSL_CA_PEM` constant (this can happen if you modify `HTTPS_SERVER_NAME`, or when `developer.mbed.org` switches to a new CA when updating its certificate). -Another reason for this error may be a proxy providing a different certificate. Proxies can be used in some network configurations or for performing man-in-the-middle attacks. If you choose to ignore this error and proceed with the connection anyway, you can change the definition of `UNSAFE` near the top of the file from 0 to 1. **Warning:** this removes all security against a possible attacker, therefore use at your own risk, or for debugging only! +Another reason for this error may be a proxy providing a different certificate. Proxies can be used in some network configurations or for performing man-in-the-middle attacks. If you choose to ignore this error and proceed with the connection anyway, you can change the definition of `UNSAFE` near the top of the file from 0 to 1. **Warning:** this removes all security against a possible active attacker, therefore use at your own risk, or for debugging only! From 4d04cdcd12d81756f214aeb36009a6111b6dc85b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Fri, 28 Aug 2015 10:32:21 +0200 Subject: [PATCH 11/15] Fix RSA mutex fix Once the mutex is acquired, we must goto cleanup rather that return. Since cleanup adjusts the return value, adjust that in test cases. Also, at cleanup we don't want to overwrite 'ret', or we'll loose track of errors. see #257 --- library/rsa.c | 16 ++++++++-------- tests/suites/test_suite_rsa.data | 6 +++--- 2 files changed, 11 insertions(+), 11 deletions(-) diff --git a/library/rsa.c b/library/rsa.c index 20c0ddc48..11678083d 100644 --- a/library/rsa.c +++ b/library/rsa.c @@ -283,8 +283,8 @@ int mbedtls_rsa_public( mbedtls_rsa_context *ctx, if( mbedtls_mpi_cmp_mpi( &T, &ctx->N ) >= 0 ) { - mbedtls_mpi_free( &T ); - return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); + ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA; + goto cleanup; } olen = ctx->len; @@ -293,8 +293,8 @@ int mbedtls_rsa_public( mbedtls_rsa_context *ctx, cleanup: #if defined(MBEDTLS_THREADING_C) - if( ( ret = mbedtls_mutex_unlock( &ctx->mutex ) ) != 0 ) - return( ret ); + if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 ) + return( MBEDTLS_ERR_THREADING_MUTEX_ERROR ); #endif mbedtls_mpi_free( &T ); @@ -368,8 +368,8 @@ int mbedtls_rsa_private( mbedtls_rsa_context *ctx, MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &T, input, ctx->len ) ); if( mbedtls_mpi_cmp_mpi( &T, &ctx->N ) >= 0 ) { - mbedtls_mpi_free( &T ); - return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); + ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA; + goto cleanup; } if( f_rng != NULL ) @@ -424,8 +424,8 @@ int mbedtls_rsa_private( mbedtls_rsa_context *ctx, cleanup: #if defined(MBEDTLS_THREADING_C) - if( ( ret = mbedtls_mutex_unlock( &ctx->mutex ) ) != 0 ) - return( ret ); + if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 ) + return( MBEDTLS_ERR_THREADING_MUTEX_ERROR ); #endif mbedtls_mpi_free( &T ); mbedtls_mpi_free( &T1 ); mbedtls_mpi_free( &T2 ); diff --git a/tests/suites/test_suite_rsa.data b/tests/suites/test_suite_rsa.data index 370b37447..c43d6ae51 100644 --- a/tests/suites/test_suite_rsa.data +++ b/tests/suites/test_suite_rsa.data @@ -234,7 +234,7 @@ mbedtls_rsa_pkcs1_encrypt:"b38ac65c8141f7f5c96e14470e851936a67bf94cc6821a39ac12c RSA PKCS1 Decrypt #2 (Data too small) depends_on:MBEDTLS_PKCS1_V15 -mbedtls_rsa_pkcs1_decrypt:"deadbeafcafedeadbeeffedcba9876":MBEDTLS_RSA_PKCS_V15:2048:16:"e79a373182bfaa722eb035f772ad2a9464bd842de59432c18bbab3a7dfeae318c9b915ee487861ab665a40bd6cda560152578e8579016c929df99fea05b4d64efca1d543850bc8164b40d71ed7f3fa4105df0fb9b9ad2a18ce182c8a4f4f975bea9aa0b9a1438a27a28e97ac8330ef37383414d1bd64607d6979ac050424fd17":16:"c6749cbb0db8c5a177672d4728a8b22392b2fc4d3b8361d5c0d5055a1b4e46d821f757c24eef2a51c561941b93b3ace7340074c058c9bb48e7e7414f42c41da4cccb5c2ba91deb30c586b7fb18af12a52995592ad139d3be429add6547e044becedaf31fa3b39421e24ee034fbf367d11f6b8f88ee483d163b431e1654ad3e89":16:"b38ac65c8141f7f5c96e14470e851936a67bf94cc6821a39ac12c05f7c0b06d9e6ddba2224703b02e25f31452f9c4a8417b62675fdc6df46b94813bc7b9769a892c482b830bfe0ad42e46668ace68903617faf6681f4babf1cc8e4b0420d3c7f61dc45434c6b54e2c3ee0fc07908509d79c9826e673bf8363255adb0add2401039a7bcd1b4ecf0fbe6ec8369d2da486eec59559dd1d54c9b24190965eafbdab203b35255765261cd0909acf93c3b8b8428cbb448de4715d1b813d0c94829c229543d391ce0adab5351f97a3810c1f73d7b1458b97daed4209c50e16d064d2d5bfda8c23893d755222793146d0a78c3d64f35549141486c3b0961a7b4c1a2034f":16:"3":1000:"4E636AF98E40F3ADCFCCB698F4E80B9F":MBEDTLS_ERR_RSA_BAD_INPUT_DATA +mbedtls_rsa_pkcs1_decrypt:"deadbeafcafedeadbeeffedcba9876":MBEDTLS_RSA_PKCS_V15:2048:16:"e79a373182bfaa722eb035f772ad2a9464bd842de59432c18bbab3a7dfeae318c9b915ee487861ab665a40bd6cda560152578e8579016c929df99fea05b4d64efca1d543850bc8164b40d71ed7f3fa4105df0fb9b9ad2a18ce182c8a4f4f975bea9aa0b9a1438a27a28e97ac8330ef37383414d1bd64607d6979ac050424fd17":16:"c6749cbb0db8c5a177672d4728a8b22392b2fc4d3b8361d5c0d5055a1b4e46d821f757c24eef2a51c561941b93b3ace7340074c058c9bb48e7e7414f42c41da4cccb5c2ba91deb30c586b7fb18af12a52995592ad139d3be429add6547e044becedaf31fa3b39421e24ee034fbf367d11f6b8f88ee483d163b431e1654ad3e89":16:"b38ac65c8141f7f5c96e14470e851936a67bf94cc6821a39ac12c05f7c0b06d9e6ddba2224703b02e25f31452f9c4a8417b62675fdc6df46b94813bc7b9769a892c482b830bfe0ad42e46668ace68903617faf6681f4babf1cc8e4b0420d3c7f61dc45434c6b54e2c3ee0fc07908509d79c9826e673bf8363255adb0add2401039a7bcd1b4ecf0fbe6ec8369d2da486eec59559dd1d54c9b24190965eafbdab203b35255765261cd0909acf93c3b8b8428cbb448de4715d1b813d0c94829c229543d391ce0adab5351f97a3810c1f73d7b1458b97daed4209c50e16d064d2d5bfda8c23893d755222793146d0a78c3d64f35549141486c3b0961a7b4c1a2034f":16:"3":1000:"4E636AF98E40F3ADCFCCB698F4E80B9F":MBEDTLS_ERR_RSA_PRIVATE_FAILED + MBEDTLS_ERR_MPI_BAD_INPUT_DATA RSA PKCS1 Encrypt #3 (Invalid padding mode) mbedtls_rsa_pkcs1_encrypt:"4E636AF98E40F3ADCFCCB698F4E80B9F":2:2048:16:"b38ac65c8141f7f5c96e14470e851936a67bf94cc6821a39ac12c05f7c0b06d9e6ddba2224703b02e25f31452f9c4a8417b62675fdc6df46b94813bc7b9769a892c482b830bfe0ad42e46668ace68903617faf6681f4babf1cc8e4b0420d3c7f61dc45434c6b54e2c3ee0fc07908509d79c9826e673bf8363255adb0add2401039a7bcd1b4ecf0fbe6ec8369d2da486eec59559dd1d54c9b24190965eafbdab203b35255765261cd0909acf93c3b8b8428cbb448de4715d1b813d0c94829c229543d391ce0adab5351f97a3810c1f73d7b1458b97daed4209c50e16d064d2d5bfda8c23893d755222793146d0a78c3d64f35549141486c3b0961a7b4c1a2034f":16:"3":"a42eda41e56235e666e7faaa77100197f657288a1bf183e4820f0c37ce2c456b960278d6003e0bbcd4be4a969f8e8fd9231e1f492414f00ed09844994c86ec32db7cde3bec7f0c3dbf6ae55baeb2712fa609f5fc3207a824eb3dace31849cd6a6084318523912bccb84cf42e3c6d6d1685131d69bb545acec827d2b0dfdd5568b7dcc4f5a11d6916583fefa689d367f8c9e1d95dcd2240895a9470b0c1730f97cd6e8546860bd254801769f54be96e16362ddcbf34d56035028890199e0f48db38642cb66a4181e028a6443a404fea284ce02b4614b683367d40874e505611d23142d49f06feea831d52d347b13610b413c4efc43a6de9f0b08d2a951dc503b6":MBEDTLS_ERR_RSA_INVALID_PADDING @@ -337,13 +337,13 @@ RSA Private (Correct) mbedtls_rsa_private:"59779fd2a39e56640c4fc1e67b60aeffcecd78aed7ad2bdfa464e93d04198d48466b8da7445f25bfa19db2844edd5c8f539cf772cc132b483169d390db28a43bc4ee0f038f6568ffc87447746cb72fefac2d6d90ee3143a915ac4688028805905a68eb8f8a96674b093c495eddd8704461eaa2b345efbb2ad6930acd8023f870":2048:16:"e79a373182bfaa722eb035f772ad2a9464bd842de59432c18bbab3a7dfeae318c9b915ee487861ab665a40bd6cda560152578e8579016c929df99fea05b4d64efca1d543850bc8164b40d71ed7f3fa4105df0fb9b9ad2a18ce182c8a4f4f975bea9aa0b9a1438a27a28e97ac8330ef37383414d1bd64607d6979ac050424fd17":16:"c6749cbb0db8c5a177672d4728a8b22392b2fc4d3b8361d5c0d5055a1b4e46d821f757c24eef2a51c561941b93b3ace7340074c058c9bb48e7e7414f42c41da4cccb5c2ba91deb30c586b7fb18af12a52995592ad139d3be429add6547e044becedaf31fa3b39421e24ee034fbf367d11f6b8f88ee483d163b431e1654ad3e89":16:"b38ac65c8141f7f5c96e14470e851936a67bf94cc6821a39ac12c05f7c0b06d9e6ddba2224703b02e25f31452f9c4a8417b62675fdc6df46b94813bc7b9769a892c482b830bfe0ad42e46668ace68903617faf6681f4babf1cc8e4b0420d3c7f61dc45434c6b54e2c3ee0fc07908509d79c9826e673bf8363255adb0add2401039a7bcd1b4ecf0fbe6ec8369d2da486eec59559dd1d54c9b24190965eafbdab203b35255765261cd0909acf93c3b8b8428cbb448de4715d1b813d0c94829c229543d391ce0adab5351f97a3810c1f73d7b1458b97daed4209c50e16d064d2d5bfda8c23893d755222793146d0a78c3d64f35549141486c3b0961a7b4c1a2034f":16:"3":"48ce62658d82be10737bd5d3579aed15bc82617e6758ba862eeb12d049d7bacaf2f62fce8bf6e980763d1951f7f0eae3a493df9890d249314b39d00d6ef791de0daebf2c50f46e54aeb63a89113defe85de6dbe77642aae9f2eceb420f3a47a56355396e728917f17876bb829fabcaeef8bf7ef6de2ff9e84e6108ea2e52bbb62b7b288efa0a3835175b8b08fac56f7396eceb1c692d419ecb79d80aef5bc08a75d89de9f2b2d411d881c0e3ffad24c311a19029d210d3d3534f1b626f982ea322b4d1cfba476860ef20d4f672f38c371084b5301b429b747ea051a619e4430e0dac33c12f9ee41ca4d81a4f6da3e495aa8524574bdc60d290dd1f7a62e90a67":0 RSA Private (Data larger than N) -mbedtls_rsa_private:"b38ac65c8141f7f5c96e14470e851936a67bf94cc6821a39ac12c05f7c0b06d9e6ddba2224703b02e25f31452f9c4a8417b62675fdc6df46b94813bc7b9769a892c482b830bfe0ad42e46668ace68903617faf6681f4babf1cc8e4b0420d3c7f61dc45434c6b54e2c3ee0fc07908509d79c9826e673bf8363255adb0add2401039a7bcd1b4ecf0fbe6ec8369d2da486eec59559dd1d54c9b24190965eafbdab203b35255765261cd0909acf93c3b8b8428cbb448de4715d1b813d0c94829c229543d391ce0adab5351f97a3810c1f73d7b1458b97daed4209c50e16d064d2d5bfda8c23893d755222793146d0a78c3d64f35549141486c3b0961a7b4c1a2034f":2048:16:"e79a373182bfaa722eb035f772ad2a9464bd842de59432c18bbab3a7dfeae318c9b915ee487861ab665a40bd6cda560152578e8579016c929df99fea05b4d64efca1d543850bc8164b40d71ed7f3fa4105df0fb9b9ad2a18ce182c8a4f4f975bea9aa0b9a1438a27a28e97ac8330ef37383414d1bd64607d6979ac050424fd17":16:"c6749cbb0db8c5a177672d4728a8b22392b2fc4d3b8361d5c0d5055a1b4e46d821f757c24eef2a51c561941b93b3ace7340074c058c9bb48e7e7414f42c41da4cccb5c2ba91deb30c586b7fb18af12a52995592ad139d3be429add6547e044becedaf31fa3b39421e24ee034fbf367d11f6b8f88ee483d163b431e1654ad3e89":16:"b38ac65c8141f7f5c96e14470e851936a67bf94cc6821a39ac12c05f7c0b06d9e6ddba2224703b02e25f31452f9c4a8417b62675fdc6df46b94813bc7b9769a892c482b830bfe0ad42e46668ace68903617faf6681f4babf1cc8e4b0420d3c7f61dc45434c6b54e2c3ee0fc07908509d79c9826e673bf8363255adb0add2401039a7bcd1b4ecf0fbe6ec8369d2da486eec59559dd1d54c9b24190965eafbdab203b35255765261cd0909acf93c3b8b8428cbb448de4715d1b813d0c94829c229543d391ce0adab5351f97a3810c1f73d7b1458b97daed4209c50e16d064d2d5bfda8c23893d755222793146d0a78c3d64f35549141486c3b0961a7b4c1a2034f":16:"3":"605baf947c0de49e4f6a0dfb94a43ae318d5df8ed20ba4ba5a37a73fb009c5c9e5cce8b70a25b1c7580f389f0d7092485cdfa02208b70d33482edf07a7eafebdc54862ca0e0396a5a7d09991b9753eb1ffb6091971bb5789c6b121abbcd0a3cbaa39969fa7c28146fce96c6d03272e3793e5be8f5abfa9afcbebb986d7b3050604a2af4d3a40fa6c003781a539a60259d1e84f13322da9e538a49c369b83e7286bf7d30b64bbb773506705da5d5d5483a563a1ffacc902fb75c9a751b1e83cdc7a6db0470056883f48b5a5446b43b1d180ea12ba11a6a8d93b3b32a30156b6084b7fb142998a2a0d28014b84098ece7d9d5e4d55cc342ca26f5a0167a679dec8":MBEDTLS_ERR_RSA_BAD_INPUT_DATA +mbedtls_rsa_private:"b38ac65c8141f7f5c96e14470e851936a67bf94cc6821a39ac12c05f7c0b06d9e6ddba2224703b02e25f31452f9c4a8417b62675fdc6df46b94813bc7b9769a892c482b830bfe0ad42e46668ace68903617faf6681f4babf1cc8e4b0420d3c7f61dc45434c6b54e2c3ee0fc07908509d79c9826e673bf8363255adb0add2401039a7bcd1b4ecf0fbe6ec8369d2da486eec59559dd1d54c9b24190965eafbdab203b35255765261cd0909acf93c3b8b8428cbb448de4715d1b813d0c94829c229543d391ce0adab5351f97a3810c1f73d7b1458b97daed4209c50e16d064d2d5bfda8c23893d755222793146d0a78c3d64f35549141486c3b0961a7b4c1a2034f":2048:16:"e79a373182bfaa722eb035f772ad2a9464bd842de59432c18bbab3a7dfeae318c9b915ee487861ab665a40bd6cda560152578e8579016c929df99fea05b4d64efca1d543850bc8164b40d71ed7f3fa4105df0fb9b9ad2a18ce182c8a4f4f975bea9aa0b9a1438a27a28e97ac8330ef37383414d1bd64607d6979ac050424fd17":16:"c6749cbb0db8c5a177672d4728a8b22392b2fc4d3b8361d5c0d5055a1b4e46d821f757c24eef2a51c561941b93b3ace7340074c058c9bb48e7e7414f42c41da4cccb5c2ba91deb30c586b7fb18af12a52995592ad139d3be429add6547e044becedaf31fa3b39421e24ee034fbf367d11f6b8f88ee483d163b431e1654ad3e89":16:"b38ac65c8141f7f5c96e14470e851936a67bf94cc6821a39ac12c05f7c0b06d9e6ddba2224703b02e25f31452f9c4a8417b62675fdc6df46b94813bc7b9769a892c482b830bfe0ad42e46668ace68903617faf6681f4babf1cc8e4b0420d3c7f61dc45434c6b54e2c3ee0fc07908509d79c9826e673bf8363255adb0add2401039a7bcd1b4ecf0fbe6ec8369d2da486eec59559dd1d54c9b24190965eafbdab203b35255765261cd0909acf93c3b8b8428cbb448de4715d1b813d0c94829c229543d391ce0adab5351f97a3810c1f73d7b1458b97daed4209c50e16d064d2d5bfda8c23893d755222793146d0a78c3d64f35549141486c3b0961a7b4c1a2034f":16:"3":"605baf947c0de49e4f6a0dfb94a43ae318d5df8ed20ba4ba5a37a73fb009c5c9e5cce8b70a25b1c7580f389f0d7092485cdfa02208b70d33482edf07a7eafebdc54862ca0e0396a5a7d09991b9753eb1ffb6091971bb5789c6b121abbcd0a3cbaa39969fa7c28146fce96c6d03272e3793e5be8f5abfa9afcbebb986d7b3050604a2af4d3a40fa6c003781a539a60259d1e84f13322da9e538a49c369b83e7286bf7d30b64bbb773506705da5d5d5483a563a1ffacc902fb75c9a751b1e83cdc7a6db0470056883f48b5a5446b43b1d180ea12ba11a6a8d93b3b32a30156b6084b7fb142998a2a0d28014b84098ece7d9d5e4d55cc342ca26f5a0167a679dec8":MBEDTLS_ERR_RSA_PRIVATE_FAILED + MBEDTLS_ERR_MPI_BAD_INPUT_DATA RSA Public (Correct) mbedtls_rsa_public:"59779fd2a39e56640c4fc1e67b60aeffcecd78aed7ad2bdfa464e93d04198d48466b8da7445f25bfa19db2844edd5c8f539cf772cc132b483169d390db28a43bc4ee0f038f6568ffc87447746cb72fefac2d6d90ee3143a915ac4688028805905a68eb8f8a96674b093c495eddd8704461eaa2b345efbb2ad6930acd8023f870":2048:16:"b38ac65c8141f7f5c96e14470e851936a67bf94cc6821a39ac12c05f7c0b06d9e6ddba2224703b02e25f31452f9c4a8417b62675fdc6df46b94813bc7b9769a892c482b830bfe0ad42e46668ace68903617faf6681f4babf1cc8e4b0420d3c7f61dc45434c6b54e2c3ee0fc07908509d79c9826e673bf8363255adb0add2401039a7bcd1b4ecf0fbe6ec8369d2da486eec59559dd1d54c9b24190965eafbdab203b35255765261cd0909acf93c3b8b8428cbb448de4715d1b813d0c94829c229543d391ce0adab5351f97a3810c1f73d7b1458b97daed4209c50e16d064d2d5bfda8c23893d755222793146d0a78c3d64f35549141486c3b0961a7b4c1a2034f":16:"3":"1f5e927c13ff231090b0f18c8c3526428ed0f4a7561457ee5afe4d22d5d9220c34ef5b9a34d0c07f7248a1f3d57f95d10f7936b3063e40660b3a7ca3e73608b013f85a6e778ac7c60d576e9d9c0c5a79ad84ceea74e4722eb3553bdb0c2d7783dac050520cb27ca73478b509873cb0dcbd1d51dd8fccb96c29ad314f36d67cc57835d92d94defa0399feb095fd41b9f0b2be10f6041079ed4290040449f8a79aba50b0a1f8cf83c9fb8772b0686ec1b29cb1814bb06f9c024857db54d395a8da9a2c6f9f53b94bec612a0cb306a3eaa9fc80992e85d9d232e37a50cabe48c9343f039601ff7d95d60025e582aec475d031888310e8ec3833b394a5cf0599101e":0 RSA Public (Data larger than N) -mbedtls_rsa_public:"b38ac65c8141f7f5c96e14470e851936a67bf94cc6821a39ac12c05f7c0b06d9e6ddba2224703b02e25f31452f9c4a8417b62675fdc6df46b94813bc7b9769a892c482b830bfe0ad42e46668ace68903617faf6681f4babf1cc8e4b0420d3c7f61dc45434c6b54e2c3ee0fc07908509d79c9826e673bf8363255adb0add2401039a7bcd1b4ecf0fbe6ec8369d2da486eec59559dd1d54c9b24190965eafbdab203b35255765261cd0909acf93c3b8b8428cbb448de4715d1b813d0c94829c229543d391ce0adab5351f97a3810c1f73d7b1458b97daed4209c50e16d064d2d5bfda8c23893d755222793146d0a78c3d64f35549141486c3b0961a7b4c1a2034f":2048:16:"b38ac65c8141f7f5c96e14470e851936a67bf94cc6821a39ac12c05f7c0b06d9e6ddba2224703b02e25f31452f9c4a8417b62675fdc6df46b94813bc7b9769a892c482b830bfe0ad42e46668ace68903617faf6681f4babf1cc8e4b0420d3c7f61dc45434c6b54e2c3ee0fc07908509d79c9826e673bf8363255adb0add2401039a7bcd1b4ecf0fbe6ec8369d2da486eec59559dd1d54c9b24190965eafbdab203b35255765261cd0909acf93c3b8b8428cbb448de4715d1b813d0c94829c229543d391ce0adab5351f97a3810c1f73d7b1458b97daed4209c50e16d064d2d5bfda8c23893d755222793146d0a78c3d64f35549141486c3b0961a7b4c1a2034f":16:"3":"605baf947c0de49e4f6a0dfb94a43ae318d5df8ed20ba4ba5a37a73fb009c5c9e5cce8b70a25b1c7580f389f0d7092485cdfa02208b70d33482edf07a7eafebdc54862ca0e0396a5a7d09991b9753eb1ffb6091971bb5789c6b121abbcd0a3cbaa39969fa7c28146fce96c6d03272e3793e5be8f5abfa9afcbebb986d7b3050604a2af4d3a40fa6c003781a539a60259d1e84f13322da9e538a49c369b83e7286bf7d30b64bbb773506705da5d5d5483a563a1ffacc902fb75c9a751b1e83cdc7a6db0470056883f48b5a5446b43b1d180ea12ba11a6a8d93b3b32a30156b6084b7fb142998a2a0d28014b84098ece7d9d5e4d55cc342ca26f5a0167a679dec8":MBEDTLS_ERR_RSA_BAD_INPUT_DATA +mbedtls_rsa_public:"b38ac65c8141f7f5c96e14470e851936a67bf94cc6821a39ac12c05f7c0b06d9e6ddba2224703b02e25f31452f9c4a8417b62675fdc6df46b94813bc7b9769a892c482b830bfe0ad42e46668ace68903617faf6681f4babf1cc8e4b0420d3c7f61dc45434c6b54e2c3ee0fc07908509d79c9826e673bf8363255adb0add2401039a7bcd1b4ecf0fbe6ec8369d2da486eec59559dd1d54c9b24190965eafbdab203b35255765261cd0909acf93c3b8b8428cbb448de4715d1b813d0c94829c229543d391ce0adab5351f97a3810c1f73d7b1458b97daed4209c50e16d064d2d5bfda8c23893d755222793146d0a78c3d64f35549141486c3b0961a7b4c1a2034f":2048:16:"b38ac65c8141f7f5c96e14470e851936a67bf94cc6821a39ac12c05f7c0b06d9e6ddba2224703b02e25f31452f9c4a8417b62675fdc6df46b94813bc7b9769a892c482b830bfe0ad42e46668ace68903617faf6681f4babf1cc8e4b0420d3c7f61dc45434c6b54e2c3ee0fc07908509d79c9826e673bf8363255adb0add2401039a7bcd1b4ecf0fbe6ec8369d2da486eec59559dd1d54c9b24190965eafbdab203b35255765261cd0909acf93c3b8b8428cbb448de4715d1b813d0c94829c229543d391ce0adab5351f97a3810c1f73d7b1458b97daed4209c50e16d064d2d5bfda8c23893d755222793146d0a78c3d64f35549141486c3b0961a7b4c1a2034f":16:"3":"605baf947c0de49e4f6a0dfb94a43ae318d5df8ed20ba4ba5a37a73fb009c5c9e5cce8b70a25b1c7580f389f0d7092485cdfa02208b70d33482edf07a7eafebdc54862ca0e0396a5a7d09991b9753eb1ffb6091971bb5789c6b121abbcd0a3cbaa39969fa7c28146fce96c6d03272e3793e5be8f5abfa9afcbebb986d7b3050604a2af4d3a40fa6c003781a539a60259d1e84f13322da9e538a49c369b83e7286bf7d30b64bbb773506705da5d5d5483a563a1ffacc902fb75c9a751b1e83cdc7a6db0470056883f48b5a5446b43b1d180ea12ba11a6a8d93b3b32a30156b6084b7fb142998a2a0d28014b84098ece7d9d5e4d55cc342ca26f5a0167a679dec8":MBEDTLS_ERR_RSA_PUBLIC_FAILED + MBEDTLS_ERR_MPI_BAD_INPUT_DATA RSA Generate Key mbedtls_rsa_gen_key:128:3:0 From bb83844a1dfebaf0df53ab62b7241d011c065aa5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Mon, 31 Aug 2015 12:46:01 +0200 Subject: [PATCH 12/15] Clarify that there are two SSL I/O buffers --- include/mbedtls/config.h | 2 +- include/mbedtls/ssl.h | 4 +++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index 376de6f68..17271c1ac 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -2399,7 +2399,7 @@ //#define MBEDTLS_SSL_CACHE_DEFAULT_MAX_ENTRIES 50 /**< Maximum entries in cache */ /* SSL options */ -//#define MBEDTLS_SSL_MAX_CONTENT_LEN 16384 /**< Size of the input / output buffer */ +//#define MBEDTLS_SSL_MAX_CONTENT_LEN 16384 /**< Maxium fragment length in bytes, determines the size of each of the two internal I/O buffers */ //#define MBEDTLS_SSL_DEFAULT_TICKET_LIFETIME 86400 /**< Lifetime of session tickets (if enabled) */ //#define MBEDTLS_PSK_MAX_LEN 32 /**< Max size of TLS pre-shared keys, in bytes (default 256 bits) */ //#define MBEDTLS_SSL_COOKIE_TIMEOUT 60 /**< Default expiration delay of DTLS cookies, in seconds if HAVE_TIME, or in number of cookies issued */ diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 4f526d463..288627bf1 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -220,7 +220,9 @@ #endif /* - * Size of the input / output buffer. + * Maxium fragment length in bytes, + * determines the size of each of the two internal I/O buffers. + * * Note: the RFC defines the default size of SSL / TLS messages. If you * change the value here, other clients / servers may not be able to * communicate with you anymore. Only change this value if you control From d68434efbad8465e388ee5cc86cb28253f2539fa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Mon, 31 Aug 2015 12:48:22 +0200 Subject: [PATCH 13/15] Disable some tests with valgrind Tends to cause spurious failures on buildbots due to peer timing out. Anyway, those tests are mainly for interop, any memory error is most likely catched by some earlier self-op test. (Also, we'll run these tests with ASan anyway.) --- tests/ssl-opt.sh | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index dadadf546..bd36e227b 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -3233,6 +3233,7 @@ run_test "DTLS proxy: 3d, min handshake, server-initiated renego, nbio" \ -c "HTTP/1.0 200 OK" needs_more_time 6 +not_with_valgrind # risk of non-mbedtls peer timing out run_test "DTLS proxy: 3d, openssl server" \ -p "$P_PXY drop=5 delay=5 duplicate=5 protect_hvr=1" \ "$O_SRV -dtls1 -mtu 2048" \ @@ -3241,6 +3242,7 @@ run_test "DTLS proxy: 3d, openssl server" \ -c "HTTP/1.0 200 OK" needs_more_time 8 +not_with_valgrind # risk of non-mbedtls peer timing out run_test "DTLS proxy: 3d, openssl server, fragmentation" \ -p "$P_PXY drop=5 delay=5 duplicate=5 protect_hvr=1" \ "$O_SRV -dtls1 -mtu 768" \ @@ -3249,6 +3251,7 @@ run_test "DTLS proxy: 3d, openssl server, fragmentation" \ -c "HTTP/1.0 200 OK" needs_more_time 8 +not_with_valgrind # risk of non-mbedtls peer timing out run_test "DTLS proxy: 3d, openssl server, fragmentation, nbio" \ -p "$P_PXY drop=5 delay=5 duplicate=5 protect_hvr=1" \ "$O_SRV -dtls1 -mtu 768" \ @@ -3258,6 +3261,7 @@ run_test "DTLS proxy: 3d, openssl server, fragmentation, nbio" \ requires_gnutls needs_more_time 6 +not_with_valgrind # risk of non-mbedtls peer timing out run_test "DTLS proxy: 3d, gnutls server" \ -p "$P_PXY drop=5 delay=5 duplicate=5" \ "$G_SRV -u --mtu 2048 -a" \ @@ -3268,6 +3272,7 @@ run_test "DTLS proxy: 3d, gnutls server" \ requires_gnutls needs_more_time 8 +not_with_valgrind # risk of non-mbedtls peer timing out run_test "DTLS proxy: 3d, gnutls server, fragmentation" \ -p "$P_PXY drop=5 delay=5 duplicate=5" \ "$G_SRV -u --mtu 512" \ @@ -3278,6 +3283,7 @@ run_test "DTLS proxy: 3d, gnutls server, fragmentation" \ requires_gnutls needs_more_time 8 +not_with_valgrind # risk of non-mbedtls peer timing out run_test "DTLS proxy: 3d, gnutls server, fragmentation, nbio" \ -p "$P_PXY drop=5 delay=5 duplicate=5" \ "$G_SRV -u --mtu 512" \ From c881ca8502362ea2d971693bea74d982009baebc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 1 Sep 2015 10:08:28 +0200 Subject: [PATCH 14/15] Document how to build shared libs with CMake Also updated https://tls.mbed.org/kb/compiling-and-building/how-do-i-build-compile-mbedtls closes #267 --- README.rst | 29 ++++++++++++++++++----------- 1 file changed, 18 insertions(+), 11 deletions(-) diff --git a/README.rst b/README.rst index 8f5cac774..db39512d9 100644 --- a/README.rst +++ b/README.rst @@ -89,13 +89,24 @@ CMake In order to build the source using CMake, just enter at the command line:: cmake . - make +In order to run the tests, enter:: + + make test + The test suites need Perl to be built. If you don't have Perl installed, you'll want to disable the test suites with:: cmake -DENABLE_TESTING=Off . +If you disabled the test suites, but kept the programs enabled, you can still run a much smaller set of tests with:: + + programs/test/selftest + +To configure CMake for building a shared library, use:: + + cmake -DUSE_SHARED_MBEDTLS_LIBRARY=On . + There are many different build modes available within the CMake buildsystem. Most of them are available for gcc and clang, though some are compiler-specific: - Release. @@ -121,23 +132,19 @@ There are many different build modes available within the CMake buildsystem. Mos This activates the compiler warnings that depend on optimization and treats all warnings as errors. -Switching build modes in CMake is simple. For debug mode, enter at the command line: +Switching build modes in CMake is simple. For debug mode, enter at the command line:: - cmake -D CMAKE_BUILD_TYPE:String="Debug" . + cmake -D CMAKE_BUILD_TYPE=Debug . + +To list other available CMake options, use:: + + cmake -LH Note that, with CMake, if you want to change the compiler or its options after you already ran CMake, you need to clear its cache first, eg (using GNU find):: find . -iname '*cmake*' -not -name CMakeLists.txt -exec rm -rf {} + CC=gcc CFLAGS='-fstack-protector-strong -Wa,--noexecstack' cmake . -In order to run the tests, enter:: - - make test - -If you disabled the test suites, but kept the progams enabled, you can still run a much smaller set of tests with:: - - programs/test/selftest - Microsoft Visual Studio ----------------------- From 4f202badec36286b957bf0854b6225ccba26b8fc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 1 Sep 2015 10:26:47 +0200 Subject: [PATCH 15/15] Document the three libraries in Readme see #266 --- README.rst | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/README.rst b/README.rst index db39512d9..ceb92c453 100644 --- a/README.rst +++ b/README.rst @@ -28,6 +28,8 @@ Please note that the yotta option is slightly different from the other build sys - a more minimalistic configuration file is used by default - depending on the yotta target, features of mbed OS will be used in examples and tests +The Make and CMake build systems create three libraries: libmbedcrypto, libmbedx509, and libmbedtls. Note that libmbedtls depends on libmbedx509 and libmbedcrypto, and libmbedx509 depends on libmbedcrypto. As a result, some linkers will expect flags to be in a specific order, for example the GNU linker wants `-lmbedtls -lmbedx509 -lmbedcrypto`. Also, when loading shared libraries using `dlopen()`, you'll need to load `libmbedcrypto` first, then `libmbedx509`, before you can load `libmbedtls`. + Yotta ----- @@ -77,7 +79,7 @@ You'll still be able to run a much smaller set of tests with:: In order to build for a Windows platform, you should use WINDOWS_BUILD=1 if the target is Windows but the build environment is Unix-like (for instance when cross-compiling, or compiling from an MSYS shell), and WINDOWS=1 if the build environment is a Windows shell (for instance using mingw32-make) (in that case some targets will not be available). -Setting the variable SHARED in your environment will build a shared library in addition to the static library. Setting DEBUG gives you a debug build. You can override CFLAGS and LDFLAGS by setting them in your environment or on the make command line; if you do so, essential parts such as -I will still be preserved. Warning options may be overridden separately using WARNING_CFLAGS. +Setting the variable SHARED in your environment will build shared libraries in addition to the static libraries. Setting DEBUG gives you a debug build. You can override CFLAGS and LDFLAGS by setting them in your environment or on the make command line; if you do so, essential parts such as -I will still be preserved. Warning options may be overridden separately using WARNING_CFLAGS. Depending on your platform, you might run into some issues. Please check the Makefiles in *library/*, *programs/* and *tests/* for options to manually add or remove for specific platforms. You can also check `the mbed TLS Knowledge Base `_ for articles on your platform or issue. @@ -103,7 +105,7 @@ If you disabled the test suites, but kept the programs enabled, you can still ru programs/test/selftest -To configure CMake for building a shared library, use:: +To configure CMake for building shared libraries, use:: cmake -DUSE_SHARED_MBEDTLS_LIBRARY=On .