Port available encryption libraries needed for Thread support

[nashif]

Reported by Gajinder Vij:

Provide a set of encryption libraries needed to support DTLS and Thread using 3rd party, well established and license compatible library.

• TLS_ECJPAKE
• HMAC-SHA256
• Schnorr ZKP
• AES-CCM with Tag 4 bytes
• PBKDF2 [RFC 2898]

The above are implemented in iotivity version of TinyDTLS and in mbedTLS.

AES-CMAC-PRF-128 [RFC 4615] is not available in current mbedTLS, so it is tracked in separate Jira.

(Imported from Jira ZEP-327)

[nashif]

by Mark Linkmeyer:

Gajinder Vij , per the ww24.2 backlog grooming meeting this issue needs more details/clarification. It's too vague as written.

[nashif]

by Anas Nashif:

The algorithms and ciphers are all provided by mbedTLS, we need to support both DTLS and TLS so a good candidate that is modular and provides all the functionality needed for Thread and generic DTLS/TLS application would be mbedTLS.

[nashif]

by Kuo-Lang Tseng:

Related patches:

https://gerrit.zephyrproject.org/r/#/c/3305/ https://gerrit.zephyrproject.org/r/#/c/3338/ https://gerrit.zephyrproject.org/r/#/c/3336/ https://gerrit.zephyrproject.org/r/#/c/3370/ https://gerrit.zephyrproject.org/r/#/c/3307/

[nashif]

by Mark Linkmeyer:

Sergio Rodriguez , please verify this functions correctly since it's labeled with "TestbyDev". Thx.

[nashif]

by Kuo-Lang Tseng:

1. TLS_ECJPAKE - Yes - Verified by self-tests.
2. HMAC-SHA256 - Supported by mbedTLS but not part of self-tests.
3. Schnorr ZKP - Yes - Covered as part of TLS_ECJPAKE tests.
4. AES-CCM with Tag 4 bytes - Yes - Verified by self-tests.
5. PBKDF2 [RFC 2898] - According to RFC 2898, this implements PKCS5 and current self-tests covers for PCKS5 tests. This requires further confirmation.
6. AES-CMAC-PRF-128 [RFC 4615] - TBD

[nashif]

by Mark Linkmeyer:

Thanks for the update Kuo-Lang Tseng . My follow-up questions:

• For #2: You say it's supported by mbedTLS. Pardon my ignorance, but does that mean it's tested and verified? Is any further verification needed yet on this?
• For #5: Who's assigned to do the 'further verification' that you mention? Will Sergio Rodriguez do it since he's the once currently assigned to this story?
• For #6: Is Sergio Rodriguez working the "TBD" ? Thanks. Anagha Jamthe

[nashif]

by Jithu Joseph:

Mark Linkmeyer I am covering for Sergio (on Vacation) , I will look into #5 and #6 above

[nashif]

by Jithu Joseph:

5 - PBKDF2 [RFC 2898] - Yes . I was able to have it verified by selftest on enabling (#define MBEDTLS_SHA1_C and #define MBEDTLS_PKCS5_C) to the config

6 - AES-CMAC-PRF-128 [RFC 4615] . This doesn't seem to be currently supported by mbedtls ( based on an mbedtls code search). I could find this link though , possibly indicating that work is in progress on this , https://github.com/ARMmbed/mbedtls/pull/370

[nashif]

by Kuo-Lang Tseng:

Thanks, Jithu for the update.

For #6 (#6 - AES-CMAC-PRF-128 [RFC 4615]), we need to watch out for the upstream and when it is added, we can integrate into our tree.

[nashif]

by Kuo-Lang Tseng:

Moved out AES-CMAC-PRF-128 [RFC 4615] from the list to a new story (GH-650) to track it separately, based on comments which indictaed it is currently not supported in mbedTLS. Closing this Jira story.